Person authentication system, person authentication method and program providing medium

ABSTRACT

An entity which executes person authentication such as a service provider (SP) and a user device (UC) receives a request for person authentication from an entity which requests person authentication. The entity which requests person authentication can vary in form. The entity which executes person authentication decrypts the template by using a person identification certificate that can be owned by the entity which executes person authentication or provided from the outside, compares the template with sampling information input by a user and notifies the entity which requests person authentication of the result of comparison. The data for person identification is provided as encrypted information that can be decrypted only by the entity which executes person authentication, thereby performing safe authentication in various locations or devices, while preventing the template information from leaking out.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a person authentication system, aperson authentication method, and a program providing medium. Moreparticularly, the present invention relates to a person authenticationsystem, a person authentication method, and a program providing medium,which can be advantageously employed, in a communication network such asthe Internet or in data communication performed via a medium, toidentify a person at a receiving end or to authenticate a person whouses a particular information apparatus such as a personal computer.

2. Description of the Related Art

A data processing apparatus such as a personal computer (PC) is widelyused in a company or by a person. In some cases, secret data is storedin such an apparatus. To prevent such secret data from being accessed byan unauthorized user, techniques of preventing information stored in aPC from being leaked have been developed. One known technique for thispurpose is to identify a user on the basis of a password input by theuser or on the basis of biometric information of the user.

Now, it is popular to distribute various kinds of software data such asa game program, audio data, image data, and a document generatingprogram (hereinafter, such software data will be referred to as acontent) via a network such as the Internet or a storage medium such asa DVD or a CD which can be distributed. In such a situation, it ishighly desired to quickly identify a user in a highly reliable fashionin various processes such as distribution of a content or reception of afee for usage of a content. Furthermore, in the user identificationprocess, it is very important to prevent personal information from beingleaked.

One widely-used user identification method is to compare input data withpreassigned data such as a user ID or a password. However, in thismethod, there is always a possibility that a registered user ID orpassword is leaked. Once a user ID or password has been leaked, the sameuser ID or password becomes unusable. One known method to avoid theabove problem is to identify a user using biometric information.

An example of a conventional process of identifying a person usingbiometric information is described below. A representative example ofbiometric information for the above purpose is a fingerprint. A personauthentication apparatus which reads a fingerprint and verifies it isdescribed below with reference to FIG. 1. In FIG. 1, a user of a PC 20registers his/her fingerprint information in a person authenticationapparatus 10 including a reading apparatus, and data indicating thefingerprint is stored in a secure memory 14. The fingerprint informationstored therein is called a template. When the user uses data on thepersonal computer 20, his/her fingerprint is read and compared with thetemplate by the person authentication apparatus 10 serving as afingerprint reading apparatus.

More particularly, reading of fingerprint information of a user isperformed by a personal information acquisition unit 11 formed of a CCDcamera or the like. After being read, the fingerprint information issubjected to a feature extraction process performed by an informationconversion unit 12, and resultant data is compared, by a comparator 13,with the template stored in the secure memory 14.

The comparator 13 determines whether or not the data is identical to thetemplate on the basis of a threshold value preset in the comparator. Ifthe data and the template match with each other to a degree higher thanthe threshold value, the comparator 13 outputs an OK signal, while a NGsignal is output when the matching degree is lower than the thresholdvalue. The fingerprint information is stored in the form of fingerprintimage data, and the data indicating the feature extracted by theinformation converter 12 is compared with the image data to check thematching degree relative to the threshold value.

In the case where the comparator 13 determines that the inputinformation and the registered information match with each other, anauthentication success message is transmitted to the personal computer20 via a communication unit 16, and the user is permitted to access thepersonal computer 20. If it is determined that the input data does notmatch with the registered information, an authentication failure messageis transmitted, and accessing to the personal computer 20 is refused.The person authentication apparatus 10 may include fingerprintinformation templates of a plurality of users (user ID=ID1 to IDn)stored in the secure memory as shown in FIG. 1, and a user may bepermitted to access the PC if the person authentication apparatus 10determines that a fingerprint of the user matches with some storedtemplate. This makes it possible for a single person authenticationapparatus to deal with a plurality of users.

[Problems to be Solved by the Invention]

However, the above-described person authentication apparatus has thefollowing problems arising from the construction in which templates arestored in a memory of the fingerprint reading/comparing apparatus.

(a) To use the comparison result, it is required that a template beincluded in the fingerprint reading/comparing apparatus.

(b) In the case where a fingerprint is compared at a plurality ofdifferent locations, it is required to register, beforehand, thefingerprint in a plurality of fingerprint read/comparison apparatuses.

(c) Because templates are stored in the fingerprint reading/comparingapparatus, there is a risk that data representing templates may betampered with or may be read by an unauthorized person.

(d) When the comparison result is transmitted to a PC or the like, thecomparison result can be easily attacked.

As described above, the conventional person authentication system iscoupled in an inseparable fashion to a particular data processingapparatus such as a personal computer which deals with secretinformation, in which the person authentication system is assumed toauthenticate only users who deal with that personal computer, and thusthe person authentication system cannot be used to authenticate a userwho uses another device in which no template is stored. Furthermore,because templates are stored in the fingerprint reading/comparingapparatus itself, there is a problem in terms of security andreliability of templates.

Furthermore, in data transmission in which encrypted data is transmittedvia a network or in data distribution via a medium, data is generallyencrypted using a public key, and a public key certificate is widelyused to guarantee the reliability of the public key. However, although apublic key certificate certifies a public key itself, the public keycertificate cannot guarantee the relationship between the public key anda person who owns that public key. That is,

(e) No technique is known to guarantee the relationship between a publickey used in transmission of encrypted data or the like and an owner ofthat public key, and a good enough means for identifying the owner ofthe public key is not known.

As described above, the conventional person authentication system hasvarious problems to be solved. In particular, in a recent socialsituation in which advanced communication systems via networks such asthe Internet have become very popular, a large amount of secretinformation and personal information are frequently dealt with usingvarious communication devices and data processing devices at variouslocations and at various times. Furthermore, in pay contentsdistribution systems/services in which contents are distributed tospecific users such as registered members, it is required to identifyusers when contents are distributed or services are provided. Thus, itis highly desired to realize a person authentication system which isusable without having limitations in terms of locations, times, anddevices used.

SUMMARY OF THE INVENTION

In view of the above, it is an object of the present invention toprovide a person authentication system and a person authenticationmethod, which allow person authentication to be performed in varioussituations and environments in a highly reliable fashion, and whichallow template information to be stored and used in a highly securemanner, and furthermore, which can be used in conjunction with a publickey certificate, thereby allowing person authentication to be used invarious fields.

Particularly, the present invention provides a person authenticationsystem and a person authentication method, which allow various types ofentities which request or execute person authentication such as serviceproviders or user devices to compare, by using the person identificationcertificate issued by a person identification authority, the templatethat has been accepted as person identification data with the samplinginformation input by a user, whereby person authentication is performed.

In accordance with a first aspect of the present invention, there isprovided a person authentication system for executing personauthentication through comparing a template serving as useridentification data which has already been acquired with samplinginformation input by a user. The person authentication system comprises:a person identification authority for creating a person identificationcertificate storing the template; an entity which executes personauthentication for comparing the template with the sampling informationinput by a user as person authentication on the basis of the personidentification certificate; and an entity which requests personauthentication for requesting to the entity which executes personauthentication for person authentication.

Preferably, in the person authentication system, the entity whichrequests person authentication and the entity which executes personauthentication are included in a user device serving as a dataprocessing apparatus having the comparison/verification capability, andthe person identification authority provides the person identificationcertificate storing the template that has been encrypted by a public keyof said user device. The user device decrypts the encrypted template inthe received person identification certificate by using a private key ofthe user device, and compares the decrypted template with the samplinginformation input by a user, thereby performing person authentication.

Preferably, in the person authentication system, the entity whichrequests person authentication is a user device, and the entity whichexecutes person authentication is a service provider for providingservice to the user device, and the person identification authorityprovides the person identification certificate storing the template thathas been encrypted by a public key of said service provider to saidservice provider. The user device provides the sampling informationinput by a user to the service provider, and the service providerdecrypts the encrypted template in the person identification certificatereceived from the person identification authority by using a private keyof the service provider, and compares the decrypted template with thesampling information input by a user provided from the user device,thereby performing person authentication.

Preferably, in the person authentication system, the entity whichrequests person authentication is a user device or a service provider,and the entity which executes person authentication is the personidentification authority, and the user device or the service providerprovides the sampling information input by a user to said personidentification authority. The person identification authority decryptsthe template that has been encrypted in the person identificationcertificate by using a private key of the person identificationauthority and compares the decrypted template with the samplinginformation input by a user provided from the user device or the serviceprovider, thereby performing person authentication.

Preferably, in the person authentication system, the personidentification authority decrypts the template that has been encryptedin the person identification certificate by using a private key of theperson identification authority and re-encrypts the decrypted templateby using a public key of the entity which executes person authenticationand stores the re-encrypted template in the person identificationcertificate, thereby transmitting the stored template to the entitywhich executes person authentication.

Preferably, in the person authentication system, the personidentification authority receives a public key certificate from saidentity which executes person authentication and reads a public key afterverifying the public key certificate and decrypts the template that hasbeen encrypted in the person identification certificate by using aprivate key of the person identification authority and re-encrypts thedecrypted template by using the public key of the entity which executesperson authentication read from the public key certificate and storesthe re-encrypted template in the person identification certificate,thereby transmitting the stored template to the entity which executesperson authentication.

Preferably, the person authentication system comprises a mobile terminalstoring the person identification certificate, and the entity whichexecutes person authentication receives, from said mobile terminal, theperson identification certificate and a key for encrypting anddecrypting the template of the person identification certificate, thekey that has been decrypted by using a private key of the mobileterminal, and decrypts the template in the received personidentification certificate by using the key for encrypting anddecrypting the template, thereby performing person authentication.

Preferably, the person authentication system comprises a mobile terminalstoring the person identification certificate, and the entity whichexecutes person authentication receives, from said mobile terminal, thetemplate in the person identification certificate, the template that hasbeen decrypted by using a private key of said mobile terminal, therebyperforming person authentication on the basis of the received template.

Preferably, the person authentication system comprises a mobile terminalstoring the person identification certificate, and the entity whichexecutes person authentication is the mobile terminal that decrypts, byusing a private key of the mobile terminal, the template that has beenencrypted in the person identification certificate stored in the mobileterminal and compares the decrypted template with the samplinginformation input by a user, thereby performing person authentication.

Preferably, in the person authentication system, the entity whichrequests person authentication is a user device, and the entity whichexecutes person authentication is a service provider for providingservice to the user device, and the user device provides the samplinginformation input by a user and the person identification certificatestoring the template that has been encrypted by using a public key ofthe service provider to the service provider, and the service providerdecrypts, by using a private key of the service provider, the templatethat has been encrypted in the person identification certificatereceived from the user device and compares the decrypted template withthe sampling information input by a user provided from the user device,thereby performing person authentication.

Preferably, in the person authentication system, the entity whichrequests person authentication is a user device, and the entity whichexecutes person authentication is a service provider for providingservice to the user device, and the service provider verifies asignature of the person identification authority written in the personidentification certificate provided by the user device and transmits theresult of verification to the user device, and the user device decrypts,by using a private key of the user device, a key for encrypting anddecrypting the template, the key that has been encrypted by using apublic key of the user device and stored in the person identificationcertificate and provides the decrypted key to the service provider, withthe sampling information input by a user, on condition that thesignature is verified to have never been tampered with, whereby theservice provider that is the entity which executes person authenticationdecrypts, by using the key for encrypting and decrypting the template,the template in the person identification certificate received from theuser device, thereby performing person authentication.

Preferably, in the person authentication system, the entity whichrequests person authentication is a user device, and the entity whichexecutes person authentication is a service provider for providingservice to the user device, and the service provider receives thetemplate in the person identification certificate from the user device,the template that has been decrypted by using a private key of the userdevice, thereby performing person authentication on the basis of thereceived template.

Preferably, in the person authentication system, the entity whichexecutes person authentication is a user device, and the entity whichrequests person authentication is a service provider for providingservice to the user device. The user device decrypts, by using a privatekey of the user device, the template that has been encrypted in theperson identification certificate received from the personidentification authority and compares the decrypted template with thesampling information input by a user, thereby performing personauthentication and notifying the service provider of the result ofcomparison.

Preferably, in the person authentication system, mutual authenticationis performed between data transmission devices, and data is transmittedtogether with a digital signature that is verified, so as to checkwhether the data has been tampered with or not, in mutual datacommunication performed by the person identification authority, theentity which executes person authentication and the entity whichrequests person authentication.

In accordance with a second aspect of the present invention, the personauthentication method for executing person authentication throughcomparing a template serving as user identification data which hasalready been acquired with sampling information input by a user, theperson authentication method comprises the steps of: creating a personidentification certificate storing the template by said personidentification authority; reading out a request for personauthentication from the entity which requests person authentication tothe entity which executes person authentication; and comparing thetemplate with the sampling information input by a user as personauthentication on the basis of the person identification certificate, inthe entity which executes person authentication.

Preferably, according to the person authentication method, the entitywhich requests person authentication and said entity which executesperson authentication are included in a user device serving as a dataprocessing apparatus having the comparison/verification capability, andthe person identification authority provides the person identificationcertificate storing the template that has been encrypted by a public keyof the user device to the user device. The user device decrypts theencrypted template in the received person identification certificate byusing a private key of the user device, and compares the decryptedtemplate with the sampling information input by a user, therebyperforming person authentication.

Preferably, according to the person authentication method, the entitywhich requests person authentication is a user device, and the entitywhich executes person authentication is a service provider for providingservice to the user device, and the person identification authorityprovides the person identification certificate storing the template thathas been encrypted by a public key of the service provider to theservice provider, and the user device provides the sampling informationinput by a user to the service provider. The service provider decryptsthe encrypted template in the person identification certificate receivedfrom the person identification authority by using a private key of theservice provider, and compares the decrypted template with the samplinginformation input by a user provided from said user device, therebyperforming person authentication.

Preferably, according to the person authentication method, the entitywhich requests person authentication is a user device or a serviceprovider, and the entity which executes person authentication is theperson identification authority, and the user device or the serviceprovider provides the sampling information input by a user to saidperson identification authority. The person identification authoritydecrypts the template that has been encrypted in the personidentification certificate by using a private key of the personidentification authority and compares the decrypted template with thesampling information input by a user provided from the user device orthe service provider, thereby performing person authentication.

Preferably, according to the person authentication method, the personidentification authority decrypts the template that has been encryptedin the person identification certificate by using a private key of theperson identification authority and re-encrypts the decrypted templateby using a public key of the entity which executes person authenticationand stores the re-encrypted template in the person identificationcertificate, thereby transmitting the stored template to the entitywhich executes person authentication.

Preferably, according to the person authentication method, the personidentification authority receives a public key certificate from theentity which executes person authentication and reads a public key afterverifying the public key certificate and decrypts the template that hasbeen encrypted in the person identification certificate by using aprivate key of the person identification authority and re-encrypts thedecrypted template by using the public key of the entity which executesperson authentication read from the public key certificate and storesthe re-encrypted template in the person identification certificate,thereby transmitting the stored template to the entity which executesperson authentication.

Preferably, according to the person authentication method, the personidentification certificate is stored in a mobile terminal, and theentity which executes person authentication receives, from the mobileterminal, the person identification certificate and a key for encryptingand decrypting the template of the person identification certificate,the key that has been decrypted by using a private key of said mobileterminal, and decrypts the template in the received personidentification certificate by using the key for encrypting anddecrypting the template, thereby performing person authentication.

Preferably, according to the person authentication method, the personidentification certificate is stored in a mobile terminal, and theentity which executes person authentication receives, from the mobileterminal, the template stored in the person identification certificate,the template that has been decrypted by using a private key of themobile terminal, thereby performing person authentication on the basisof the received template.

Preferably, according to the person authentication method, the personidentification certificate is stored in a mobile terminal, and theentity which executes person authentication is the mobile terminal thatdecrypts, by using a private key of the mobile terminal, the templatethat has been encrypted in the person identification certificate storedin the mobile terminal and compares the decrypted template with thesampling information input by a user, thereby performing personauthentication.

Preferably, according to the person authentication method, the entitywhich requests person authentication is a user device, and the entitywhich executes person authentication is a service provider for providingservice to the user device, and the user device provides, to the serviceprovider, the sampling information input by a user and the personidentification certificate storing the template that has been encryptedby using a public key of the service provider, and the service providerdecrypts, by using a private key of the service provider, the templatethat has been encrypted in the person identification certificatereceived from the user device and compares the decrypted template withthe sampling information input by a user provided from the user device,thereby performing person authentication.

Preferably, according to the person authentication method, the entitywhich requests person authentication is a user device, and the entitywhich executes person authentication is a service provider for providingservice to the user device, and the service provider verifies asignature of the person identification authority written in the personidentification certificate provided by the user device and transmits theresult of verification to the user device. The user device decrypts, byusing a private key of the user device, a key for encrypting anddecrypting the template, the key that has been encrypted by using apublic key of the user device and stored in the person identificationcertificate and provides the decrypted key to the service provider, withthe sampling information input by a user, on condition that thesignature is verified to have never been tampered with. The serviceprovider that is the entity which executes person authenticationdecrypts, by using the key for encrypting and decrypting the template,the template in the person identification certificate received from theuser device, thereby performing person authentication.

Preferably, according to the person authentication method, the entitywhich requests person authentication is a user device, and the entitywhich executes person authentication is a service provider for providingservice to the user device. The service provider receives the templatein the person identification certificate from the user device, thetemplate that has been decrypted by using a private key of the userdevice and performs person authentication on the basis of the receivedtemplate.

Preferably, according to the person authentication method, the entitywhich executes person authentication is a user device, and the entitywhich requests person authentication is a service provider for providingservice to the user device. The user device decrypts, by using a privatekey of said user device, the template that has been encrypted in theperson identification certificate received from the personidentification authority and compares the decrypted template with thesampling information input by a user, thereby performing personauthentication and notifying the service provider of the result ofcomparison.

Preferably, according to the person authentication method, mutualauthentication is performed between data transmission devices, and datais transmitted together with a digital signature that is verified, so asto check whether the data has been tampered with or not, in mutual datacommunication performed by the person identification authority, theentity which executes person authentication and the entity whichrequests person authentication.

As described above, the person authentication system and the personauthentication according to the present invention allow personauthentication to be performed in an easy fashion in various devices bycomparing the template serving as person identification data with thesampling information input by a user. For example, a service provider(SP) or a user device (UD) can execute person authentication byacquiring the template from a person identification certificate (IDC)created by a third-party agency serving as a person identificationcertificate authority (IDA). The person identification certificate (IDC)is issued by the person identification certificate authority (IDA), inresponse to a request from a person, on the basis of the templateserving as identification data which is acquired from the person afterverifying the identification of the person, and, when the personidentification certificate (IDC) is distributed to a service provider(SP) or a user device (UD), the distribution is performed after adding asignature of the IDA thereto, thereby ensuring that the validity of thedata is guaranteed and high-reliability person authentication can beperformed.

Furthermore, the present invention provides the person authenticationsystem and the person authentication method which can correspond to theentity which requests person authentication and the entity whichexecutes person authentication, such as a service provider or a userdevice. Both the entities can vary in form. The entity which executesperson authentication decrypts the template using the personidentification certificate (IDC) owned by the entity or provided fromthe outside, compares the decrypted template with the samplinginformation input by a user, and notifies the entity which requestsperson authentication of the comparison result. Information for personauthentication is provided as encrypted information which can bedecrypted only by the entity which executes person authentication,thereby performing safe authentication. The person identificationauthority (IDA) creates and provides the person identificationcertificate (IDC) to the entity which executes person authentication.The person identification authority (IDA) encrypts the template of theperson identification certificate in such a manner that the template isdecrypted only by the entity which executes person authentication. Thus,the present invention allows person authentication in various locationsand devices, while preventing the template information from leaking out.

In accordance with a third aspect of the present invention, there isprovided a program providing medium for providing a computer programwhich is capable of performing, on a computer system, personauthentication through comparing a template serving as useridentification data which has already been acquired with samplinginformation input by a user. The computer program comprises the stepsof: reading out a request for person authentication from an entity whichrequests person authentication to an entity which executes personauthentication; and comparing the template with the sampling informationinput by a user as person authentication on the basis of a personidentification certificate that has been issued by a personidentification authority in accordance with the request for personauthentication, in the entity which executes person authentication.

The program providing medium according to the third aspect of thepresent invention is used to provide a computer program in acomputer-readable format to a computer system capable of executingvarious program codes. There is no particular limitation in the form ofthe medium, and various types of media can be used. Specific examplesinclude a storage medium such as a CD, FD, MO, and DVD and atransmission medium such as a network.

Such a program providing medium defines a cooperative relationship instructure or function between the computer program and the providingmedium so that the computer program functions on a computer system. Inother words, the program providing medium operates in a cooperativefashion on a computer system when the computer program is installed onthe computer system via the program providing medium, thereby achievingfunctions similar to those which can be achieved according to the otheraspects of the present invention. Other objects, aspects, and advantagesof the present invention will become apparent from the followingdescription of embodiments with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a conventional person authenticationapparatus which reads and verifies a fingerprint;

FIG. 2 is a diagram illustrating encrypted data communication performed,using a public key certificate, by a personal authentication systemaccording to the present invention;

FIG. 3 is a diagram illustrating a data format of a public keycertificate;

FIG. 4 is a diagram illustrating the data format of the public keycertificate;

FIG. 5 is a diagram illustrating an example of a format of a personidentification certificate;

FIGS. 6A to 6C are diagrams illustrating manners of encrypting atemplate of a person identification certificate;

FIG. 7 is a table illustrating the types of keys used to encrypt atemplate of a person identification certificate and also illustratingprocessing manners;

FIGS. 8A and 8B are diagrams illustrating manners of encrypting atemplate of a person identification certificate;

FIG. 9 is a diagram illustrating a processing flow and a data flow inregistration of a template and generation of an IDC;

FIG. 10 is a diagram illustrating a processing flow and a data flow in aprocess of deleting a template;

FIG. 11 is a diagram illustrating a processing flow and a data flow in aprocess of changing a template;

FIG. 12 is a diagram illustrating a processing flow and a data flow in aprocess of adding a template;

FIG. 13 is a diagram illustrating a processing flow and a data flow in aprocess of suspending a template;

FIG. 14 is a diagram illustrating a processing flow and a data flow in aprocess of canceling suspension of a template;

FIG. 15 is a diagram illustrating a processing flow and a data flow in aprocess of distributing an IDC;

FIG. 16 is a diagram illustrating a processing flow and a data flow in aprocess of updating an IDC;

FIG. 17 is a diagram illustrating a processing flow and a data flow in aprocess of deleting an IDC;

FIG. 18 is a diagram illustrating a processing flow and a data flow in aprocess of inquiring about an IDC;

FIG. 19 is a diagram illustrating examples of configurations of acertificate authority (CA) which issues a public key certificate (PKC),a person identification certificate authority (IDA) which issues aperson identification certificate (IDC), and a device which uses acertificate;

FIG. 20 is a diagram illustrating examples of configurations of acertificate authority (CA) which issues a public key certificate (PKC),a person identification certificate authority (IDA) which issues aperson identification certificate (IDC), and a device which uses acertificate;

FIGS. 21A to 21C are diagrams illustrating manners of performingverification by a user device, a service provider (SP), or a personidentification certificate authority (IDA) in a system;

FIG. 22 is a diagram illustrating a system in which verification isperformed by a user device;

FIG. 23 is a diagram illustrating a system in which verification isperformed by a service provider (SP);

FIG. 24 is a diagram illustrating a verification process performed by auser device storing an IDC and a PKC;

FIG. 25 is a diagram illustrating a system in which verification isperformed by transmitting a person identification certificate (IDC)stored in a personal terminal such as an IC card to a shared userdevice;

FIG. 26 is a diagram illustrating a system in which verification isperformed by decrypting a person identification certificate (IDC) storedin a personal terminal such as an IC card and then transmitting thedecrypted IDC to a shared user device;

FIG. 27 is a diagram illustrating a system in which verification isperformed by a personal terminal such as an IC card using a personidentification certificate (IDC) stored in the personal terminal andonly the result of the verification is transmitted to a shared userdevice;

FIG. 28 is a diagram illustrating a process performed when templateinformation of a person identification certificate (IDC) is encryptedusing a public key of a service provider (SP);

FIG. 29 is a diagram illustrating a system in which verification isperformed by transmitting a person identification certificate (IDC)stored in a user device to a service provider (SP);

FIG. 30 is a diagram illustrating a system in which verification isperformed by decrypting a person identification certificate (IDC) storedin a user device and then transmitting the decrypted IDC to a serviceprovider (SP);

FIG. 31 is a diagram illustrating a system in which verification isperformed by a user device using a person identification certificate(IDC) stored in the user device and only the result of the verificationis transmitted to a service provider (SP);

FIG. 32 is a diagram illustrating a configuration of a secure containercontaining a content to be distributed via content transaction;

FIG. 33 is a diagram illustrating a form of a list of personidentification certificates (IDCs);

FIG. 34 is a diagram illustrating a specific example of a form of salesrestriction (UCP) information;

FIG. 35 is a diagram illustrating an example of a format of a permittedusage data;

FIG. 36 is a diagram illustrating an example of a data format of priceinformation included in a secure container;

FIG. 37 is a diagram illustrating a manner of distributing a contentusing a secure container;

FIG. 38 is a diagram illustrating an example of a data format of usagecontrol status (UCS) information;

FIG. 39 is a diagram illustrating a manner of using a personidentification certificate (IDC) when a secure container containing acontent is distributed from a service provider to a user device;

FIG. 40 is a flow chart of a process in which a secure container isreceived from a service provider and a person authentication isperformed by a user device so that the content can be used only byauthorized users;

FIG. 41 is a flow chart of a process in which a person authentication isperformed by a service provider and a secure container is distributedonly to authorized users;

FIG. 42 is a diagram illustrating a manner of distributing a contentamong users using a secure container;

FIG. 43 illustrates another manner in which a content is distributedusing a secure container among users and a manner in which userauthentication is performed;

FIG. 44 is a flow chart of a process in which a secure container isreceived from a user device A and person authentication is performed bya user device B so that only authorized users can use the content;

FIG. 45 is a flow chart of a process in which person authentication isperformed by a content distributor before distributing a content and asecure container is distributed only to authorized users;

FIG. 46 is a block diagram mainly illustrating configurations of userdevices which transmit a secure container to each other;

FIGS. 47A and 47B are diagrams illustrating various manners of linking apersonal identification certificate (IDC) and a public key certificate(PKC) to each other;

FIGS. 48A and 48B are diagrams illustrating various manners of linkingpersonal identification certificates (IDCs) and public key certificates(PKC) to one another;

FIGS. 49A and 49B are diagrams illustrating manners of storing a publickey certificate (PKC) linked to a person identification certificate(IDC) into the person identification certificate (IDC);

FIGS. 50A and 50B illustrate manners of storing an identification numberof a certificate into another certificate;

FIGS. 51A and 51B are diagrams illustrating examples of manners ofmanagement using link management data;

FIGS. 52A and 52B are diagrams illustrating another examples of mannersof management using link management data;

FIG. 53 is a diagram illustrating a configuration of a user devicecapable of performing person authentication and reproducing a content;

FIG. 54 is a diagram illustrating a data flow in a process ofdownloading a content;

FIG. 55 is a diagram illustrating the details of the data flow in theprocess of downloading a content;

FIG. 56 is a diagram illustrating the details of the data flow in theprocess of downloading a content;

FIG. 57 is a diagram illustrating the details of the data flow in theprocess of downloading a content;

FIG. 58 is a diagram illustrating a data flow in processes of userregistration, erasure of user registration, and making a servicecontract;

FIG. 59 is a diagram illustrating the details of the data flow in theprocesses of user registration, erasure of user registration, and makinga service contract;

FIG. 60 is a diagram illustrating the details of the data flow in theprocesses of user registration, erasure of user registration, and makinga service contract;

FIG. 61 is a diagram illustrating the details of the data flow in theprocesses of user registration, erasure of user registration, and makinga service contract;

FIG. 62 is a diagram illustrating a flow of data in the process ofrequesting a person identification certificate (IDC), which is to bestored in a device, to be issued;

FIG. 63 is a diagram illustrating the details of the flow of data in theprocess of requesting the person identification certificate (IDC), whichis to be stored in the device, to be issued;

FIG. 64 is a diagram illustrating the details of the flow of data in theprocess of requesting the person identification certificate (IDC), whichis to be stored in the device, to be issued;

FIG. 65 is a diagram illustrating the details of the flow of data in theprocess of requesting the person identification certificate (IDC), whichis to be stored in the device, to be issued;

FIG. 66 is a diagram illustrating a procedure of issuing a one-time PKC;

FIG. 67 is a flow chart of the procedure of issuing a one-time PKC;

FIG. 68 is a diagram illustrating a first manner of using a verificationcertificate;

FIG. 69 is a flow chart of a process of using a verificationcertificate;

FIG. 70 is a diagram illustrating a second manner of using averification certificate;

FIG. 71 is a diagram illustrating an example of a format of averification certificate;

FIG. 72 is a diagram illustrating a process in which personauthentication is performed using a person identification certificate(IDC) which has already been registered in a person identificationcertificate authority (IDA), and a content is distributed in accordancewith the person authentication;

FIG. 73 is a flow chart of a process in which a content is distributedafter performing person authentication using an IDC and performingmutual authentication using a PKC;

FIG. 74 is a flow chart of a process in which a content is distributedafter performing person authentication using an IDC and performingmutual authentication using a PKC;

FIG. 75 is a flow chart of a process in which a content is distributedafter performing person authentication using an IDC and performingmutual authentication using a PKC;

FIG. 76 is a diagram illustrating a process in which personauthentication is performed using a user IDC and a device PKC and alsousing an IDC which has already been registered in a personidentification certificate authority (IDA), and then a content isdistributed to a user using the device PKC;

FIG. 77 is a flow chart illustrating a process in which personauthentication is performed using a user IDC and a device PKC and alsousing an IDC which has already been registered in a personidentification certificate authority (IDA), and then a content isdistributed to a user using the device PKC;

FIG. 78 is a flow chart illustrating a process in which personauthentication is performed using a user IDC and a device PKC and alsousing an IDC which has already been registered in a personidentification certificate authority (IDA), and then a content isdistributed to a user using the device PKC;

FIG. 79 is a diagram illustrating a person identification certificate(IDC) in which validity information (expiration date and the number oftimes the IDC is allowed to be used) of the person identificationcertificate (IDC) and also the expiration date of template informationstored in the IDC are set;

FIGS. 80A and 80B are diagrams illustrating manners of managing the“expiration date or the number of times the IDC is allowed to be used”and the “expiration date of template” of the template information storedin a person identification certificate (IDC);

FIG. 81 is a diagram illustrating a manner of managing the expirationdate of the IDC and the expiration date of the template;

FIG. 82 is a diagram illustrating a manner of managing the number oftimes the IDC is allowed to be used and the template expiration date;

FIG. 83 is a flow chart illustrating a process of controlling the usageof an IDC in accordance with the “expiration date or number of times theIDC is allowed to be used” and “expiration date of template” describedin a person identification certificate (IDC);

FIG. 84 is a diagram illustrating a process in which when a personidentification certificate (IDC) is used, if it turns out that the “IDCexpiration date” has been reached, the person identification certificate(IDC) is updated;

FIG. 85 is a diagram illustrating a process in which the expiration dateof a person identification certificate (IDC) is checked at scheduledintervals, and if it turns out that the “IDC expiration date” has beenreached, the IDC is updated;

FIG. 86 is a diagram illustrating a process in which the expiration dateof template information which has already been registered in a personidentification certificate authority (IDA) is checked by the IDA andupdated if the expiration date has been reached, after informing a userthat the expiration date has been reached; and

FIG. 87 is a diagram illustrating a process in which templateinformation which has already been registered in a person identificationcertificate authority (IDA) is updated in response to an updatingrequest from an user.

DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention is described in further detail below withreference to preferred embodiments in conjunction with the accompanyingdrawings.

The present invention is described below in terms of items listed below.

1. Concepts of the Present Invention and the Outline of Certificates

2. Encryption of Template

3. Registration and Change of Template and Person IdentificationCertificate (IDC)

4. Basic Manners of Using Person Identification Certificate (IDC)

5. Authentication Using Person Identification Certificate (IDC)

6. Control of Permission of Usage of Content According to UserAuthentication on the Basis of Person Identification Certificate

7. Link between Person Identification Certificates (IDCs) and Public KeyCertificates (PKCs)

8. Using a Content on the Basis of Person Identification Certificate(IDC) and Public Key Certificate (PKC)

9. One-Time Public Key Certificate (One-Time PKC)

10. Verification Certificate

11. Downloading of Person Identification Certificate (IDC) and Usage ofa Content

12. Setting the Validity Period of Person Identification Certificate(IDC)

[1. Concepts of the Invention and Outline of Certificates]

(1.1 Basic Concepts of the System According to the Invention)

First, basic concepts of the person authentication system according tothe present invention are described. In the present invention,authentication of a person is realized using a person identificationcertificate (IDC). A person identification certificate (IDC) is issuedfor each person who wants to be certified by an identification authority(IDA), which is a reliable third-party agency, after verifying theidentification of the person.

Each person identification certificate (IDC) includes information(template information) which identifies a corresponding person. Specificexamples usable as personal identification information includefingerprint information, retina pattern information, iris patterninformation, voice print information, and handwriting information.Personal identification information other than biometric informationsuch as a seal, a passport, a driver's license, or a card can also beused. Any combination of the personal identification informationdescribed above can also be used. Furthermore, a combination of apassword and any personal identification described above may also beused. That is, information that only a person himself/herself canpossess is used as the person identification information and is storedas template information wherein the template information is generallyencrypted.

A person identification certificate (IDC) issued by an identificationauthority (IDA) is used by a registered user himself/herself, a serviceprovider (SP) which provides a content to the registered user, or anagency or an organization (such as a settling financial institution)which needs to authenticate an user. A person identification certificate(IDC) is also issued by the person identification certificate authority(IDA) in response to a request from a user device which needs the personidentification certificate (IDC) for authentication of an user. Specificexamples of manners of using person identification certificates will bedescribed in detail later.

Furthermore, in embodiments according to the present invention, a personidentification certificate (IDC) is effectively used in conjunction witha public key certificate (PKC). For example, when a service provider(SP) distributes an encrypted content to an user, the service provider(SP) authenticates the user on the basis of a person identificationcertificate (IDC), and the service provider (SP) transmits the encryptedcontent to the user only when the user is verified as an authorizeduser, wherein the content is encrypted using a public key described in apublic key certificate so that only the authorized user can decrypt thecontent.

FIG. 2 is a diagram illustrating encrypted data communication performedby a person authentication system, using a public key certificate,according to the present invention. A person identification certificate(IDC) and a public key certificate (PKC) are issued by an identificationauthority (IDA) 201 and a certificate authority (CA) 202, respectively,in accordance with predetermined procedures.

Encrypted data communication is performed, for example, between a userdevice A205 and a service provider (SP) 203 which distributes a content.In the encrypted data communication, the service provider (SP) 203 firstconfirms that the user device A is used by a user A and then transmits acontent after converting the content into encrypted data which can bedecrypted by the user A.

The user A registers his/her personal information in the personidentification certificate authority (IDA) 201, and the personidentification certificate authority (IDA) 201 issues a personidentification certificate (IDC) to the user A. The service provider(SP) 203 verifies the authenticity of the user A on the basis of theperson identification certificate (IDC). In this case, the serviceprovider (SP) 203 is an entity which executes person authentication onthe basis of the person identification certificate (IDC). Theauthentication may be performed in various manners on the basis of anidentification certificate, as will be described in detail later.

The user A presents his/her public key to the certificate authority 202and receives a public key certificate including a digital signaturewritten by the certificate authority. After the service provider (SP)203 authenticates the user A on the basis of the person identificationcertificate (IDC), the service provider (SP) 203 extracts the public keyfrom the public key certificate of the user A and transmits a content tothe user A after encrypting the content using the extracted public key.When the user A of the user device A205 receives the encrypted content,the encrypted data is decrypted using a private key corresponding to thepublic key, and the decrypted data is used by the user A.

Authentication and transmission of encrypted data are also performed ina similar manner between a service provider (SP) 204 serving as asettling institution and a user device B206. That is, the serviceprovider (SP) 204 authenticates the user B on the basis of anidentification certificate of the user B and transmits data (such as acontent or electronic settlement data) after encrypting the data using apublic key certificate of the user B. In this case, the user device isan entity which executes personal authentication on the basis of theperson identification certificate (IDC).

Furthermore, in data communication between the user device A205 and theuser device B206, authentication of users A and B is performed on thebasis of the person identification certificates of users A and B, anddata is transmitted by means of encryption using the public keycertificate of the use A or B.

As described above, identification certificates and public keycertificates can be used in various situations in which data istransmitted. A person identification certificate can also be usedsingly. For example, when a user accesses secret information stored in aPC, the authenticity of the user is verified on the basis of a personidentification certificate. A wide variety of entities, such as aservice provider (SP), a user device, and a person identificationcertificate authority (IDA), execute person authentication on the basisof a person identification certificate.

In an embodiment of a system according to the present invention, asshown in FIG. 2, a person identification certificate (IDC) issued by aperson identification certificate authority (IDA) 201 is linked with apublic key certificate (PKC) issued by a certificate authority 202. Thelink may be achieved by incorporating a public key certificate (PKC)into a person identification certificate or by creating groupinformation indicating link information. Manners of forming links willbe described in detail later.

In the public key cryptography described above, different keys are usedby a sender and a receiver, wherein one of the keys is used as a publickey which are opened for use by any unspecified user, while the otherkey is used as a private key which is kept secret. In the public keycryptography, unlike the symmetric key cryptography in which encryptionand decryption are performed using a symmetric key, only a particularone person has a private key which should be kept secret, and thus it iseasy to manage keys. An representative example of a public keyencryption algorithm is the RSA (Rivest-Shamir-Adleman) encryptionalgorithm. In this technique, a product of two very large prime numbers(for example, 150-digit prime numbers) is used because it is difficultto factorize the product of two very large prime numbers (such as150-digit prime numbers) into prime numbers.

In the public key cryptography, a large number of unspecified users areallowed to use the same public key, and the validity of a distributedpublic key is generally certified by a certificate called a public keycertificate. For example, a user A creates a pair of a public key and aprivate key and sends the created public key to a certificate authorityto acquire a public key certificate from the certificate authority. Theuser A opens the public key certificate to the public. An unspecifieduser acquires the public key from the public key certificate via apredetermined procedure and transmits, to the user A, a document or thelike after encrypting it using the public key. Upon reception of thedocument, the user A decrypts the received document using the privatekey. The user A may also attach his/her signature encrypted with theprivate key to a document or the like, and unspecified user may verifythe signature using the public key extracted from the public keycertificate via the predetermined procedure. Before describing theperson authentication system according to the present invention infurther detail, the data structures of the public key certificate (PKC)and the person identification certificate (IDC) used in the system ofthe present invention are described.

(1.2 Public Key Certificate)

Public key certificates are described with reference to FIGS. 3 and 4.In the public key cryptography, a public key certificate is issued by acertificate authority (CA) which is also called an issuer authority(IA), wherein in response to receiving an ID and a public key from anuser, the certificate authority issues a certificate after addinginformation such as an ID of the certificate authority and a validityperiod and also adding a signature of the certificate authority.

An example of a format of a public key certificate is described. In thisspecific example, the format is according to the public key certificateformat X.509 V3.

Version indicates the version of the certificate format.

Serial Number indicates a serial number assigned by a public key issuerauthority (IA) to a public key certificate.

Signature algorithm Identifier and algorithm parameters are fields inwhich the signature algorithm of the public key certificate andparameters thereof are described. Either the elliptic curve cryptographyor the RSA can be used as the signature algorithm, wherein in the casewhere the elliptic curve cryptography is employed, parameters and thekey length are described, while the key length is described in the casewhere the RSA is employed.

Issuer is a field in which the issuer of the public key certificate,that is, the name of the public key certificate issuer (IA) is describedin the form of a distinguished name.

Validity is a field to describe a period during which the certificate isvalid, wherein a start date and an expiration date are described.

Subject is a field in which the name of a subject or a user isdescribed. More specifically, for example, the ID of a user device orthe ID of a subject which supplies services is described.

In subject Public Key Info, algorithm and subject Public key,information about the public key of the user including the key algorithmis described.

The fields described above are defined in the public key certificateformat X.509 V1, and fields described below are fields added theretoaccording to the public key certificate format X.509 V3.

In authority Key Identifier, key Identifier, authority Cert Issuer,authority Cert Serial Number, information which identifies the key ofthe public key certificate issuer (IA) is described, wherein, morespecifically, a key identification number (octal number), the name ofthe public key issuer authority (IA), and a certificate number aredescribed.

In subject key Identifier, identifiers are described in the case where aplurality of keys are certified in the public key certificate.

Key usage is a field to specify the purpose of the key, wherein apurpose is selected from the group consisting of (0) digital signature,(1) prevention of repudiation, (2) encryption of the key, (3) encryptionof a message, (4) distribution of a symmetric key, (5) verification ofthe signature of the certificate, and (6) verification of the signatureof a revocation list.

In private Key Usage Period, a period is described during which theprivate key of the user is valid.

In certificate Polices, certificate policies of certificate authorities,that is, the public key certificate issuer authority (IA) and theregistration authority (RA), are described. For example, a policy ID ora certification criterion according to the ISO/IEC9384-1 is described.

Policy Mapping is described only when a CA (public key certificateissuer (IA)) is certified, wherein mapping is described in terms of thepolicy of the public key certificate issuer (IA) which issues thecertificate and the policy of the certificate authority which iscertified.

In supported Algorithms, attributes of a directory (X.500) are defined.This field is used, in communication, to inform a receiving party of theattribute of the directory.

Subject Alt Name is a field to describe an alternative name of thesubject.

Issuer Alt Name is a field to describe an alternative name of thecertificate issuer.

Subject Direction Attribute is a field in which an arbitrary attributeof the user is described.

Basic Constraint is a field to describe whether the public key to becertified is used for signature of the certificate authority (public keycertificate issuer authority (IA)) or is used by the user.

Name Constraints permitted Subtrees is a field to describe the areawhere the certificate is effective, wherein this field is used only whena certificate authority (public key certificate authority (CA) iscertified.

In policy Constraints, constrains are described in terms of requirementsof explicit policy ID or inhibit policy mapping for the remainingcertification path.

CRL (Certificate Revocation List) Distribution Points is a filed todescribe a reference point in the revocation list (FIG. 9) at which datais present which indicates whether the certificate of a user is revoked,wherein this field is used to confirm, when the user uses thecertificate, that the certificate is not revoked.

Signature is a field in which a signature of the public key certificateissuer (public key certificate authority (IA) is written. The signatureis data which is created by generating a hash value by applying a hashfunction to the whole of a certificate and then encrypting the resultanthash value using a public key of a certificate authority.

A certificate authority issues a public key certificate in the formatshown in FIGS. 3 and 4 and also updates a public key certificate whichhas expired. Furthermore, the certificate authority generates, manages,and distributes an illegal user list (revocation list) to shut out userswho have made an illegal act. The certificate authority also generates apublic key and a private key, as required.

When a user uses the public key certificate, the user verifies thedigital signature of the public key certificate using the public key ofthe certificate authority the user has. If the verification of thedigital signature is successfully passed, the user extracts the publickey from the public key certificate. Therefore, all users, who want touse the public key certificate, need to have the common public key ofthe certificate authority.

(1.3 Person Identification Certificate)

Each person identification certificate (IDC) used in the personauthentication system according to the present invention includesinformation which identifies a person (hereinafter, this personidentification information included in the IDC is referred to astemplate information). An example of template information is biometricinformation of a person such as fingerprint information, retina patterninformation, iris pattern information, voice print information, andhandwriting information. Personal identification information other thanbiometric information is also usable. Specific examples of such personalidentification information includes a seal, a passport, a driver'slicense, and a card. Any combination of the personal identificationinformation described above can also be used. Furthermore, a combinationof a password and any personal identification described above may alsobe used. That is, information that only a person himself/herself canpossess is used as the person identification information. It isdesirable that the template information be stored in the IDC after beingencrypted so as to prevent the template information from being leaked toan unauthorized third party. However, encryption of the template is notnecessarily required if the distribution of the person identificationcertificate is very limited and if the template is thus prevented frombeing leaked.

A digital signature of a person identification authority (IDA) iswritten in a person identification certificate (IDC) so that the personidentification certificate is prevented from being tampered with.

FIG. 5 illustrates an example of a person identification certificateformat. The person identification certificate format shown in FIG. 5includes indispensable item fields, extended item fields, and asignature field. The respective items are described below.

First, the respective fields of the indispensable items are described.

Version indicates the version of the certificate format.

Serial Number indicates a serial number assigned by a personidentification authority (IDA) to a person identification certificate(IDC).

In Signature algorithm Identifier algorithm parameter, the signaturealgorithm of the person identification certificate and parametersthereof are described.

Either the elliptic curve cryptography or the RSA can be used as thesignature algorithm, wherein in the case where the elliptic curvecryptography is employed, parameters and the key length are described,while the key length is described in the case where the RSA is employed.

Issuer is a field in which the issuer of the person identificationcertificate, that is, the name of the person identification certificateauthority (IDA) is described in the form of a distinguished name.

Validity is a field to describe a period during which the certificate isvalid, wherein a start date and an expiration date are described.

Subject is a field in which the name of a subject or a user isdescribed. In this field, more specifically, the ID or the name of theuser is described.

Subject Template Info is a field to describe identification informationof an user, wherein data representing biometric information such as afingerprint of the user is stored after being encrypted. Morespecifically, the encryption algorithm used to encrypt the template, theunique identifier (ID) or the certificate number of the public keycertificate used in encryption, an encryption algorithm, a parameter, astart date and an expiration date indicating the validity period of thetemplate, the type of the template, and the template (encrypted) aredescribed.

The fields described above are set as the indispensable item fields.

Now, extended fields of the person identification certificate (IDC) aredescribed.

Subject PKC info is a field to describe the public key certificateinformation of the subject to be certified, including the certificatenumber of the public key certificate of the subject and the subjectunique ID of the public key certificate of the subject.

In Issuer Unique ID, the unique ID of the person identificationcertificate authority (IDA) is described.

In Subject Unique ID, the unique ID of the subject to be certified isdescribed.

In Public Key Certificate, the public key certificate described above isstored.

In Issuer Alt Name, an alternative name of the person identificationcertificate authority is described.

In Subject Directory Attribute, an arbitrary attribute of an user, suchas an age, sex, address, telephone number, is encrypted as required toidentify the user.

Valid Count is a field to describe the maximum number of times theperson identification certificate is allowed to be used. Morespecifically, after a certificate is issued, the certificate is allowedto be used as many times as described in this field.

In Control Table link Infor, group information indicating the linkbetween the person identification certificate (IDC) and the public keycertificate (PKC) is described. For example, information is describedwhich indicates a link to a public key certificate used in datacommunication or data processing which is executed only when a user issuccessfully authenticated on the basis of the person identificationcertificate. The link information and the group information will bedescribed in detail later.

The extended fields of the person identification certificate (IDC) havebeen described above.

The digital signature is data which is created by generating a hashvalue by applying a hash function to all fields of the certificate andthen encrypting the resultant hash value using the public key of theperson identification certificate authority (IDA).

Other information may also be described in the extended fields of theperson identification certificate (IDC). For example, when the templateinformation is encrypted using not the public key but a common privatekey, and the common key used in the encryption is encrypted using thepublic key of the user device, the service provider, or the personidentification certificate authority (IDA), the encrypted public key isdescribed in an extended field. The process performed in this case willbe described later.

[2. Encryption of Template]

The person identification certificate (IDC) described above includesinformation (template information) used to identify a person. An exampleof template information is biometric information of a person such asfingerprint information, retina pattern information, iris patterninformation, voice print information, and handwriting information.Personal identification information other than biometric information isalso usable. Specific examples of such personal identificationinformation includes a seal, a passport, a driver's license, and a card.Any combination of the personal identification information describedabove can also be used. Furthermore, a combination of a password and anypersonal identification described above may also be used. That is,information that only a person himself/herself can possess is used asthe person identification information.

It is desirable that the template be stored after being encrypted toprevent the template from being leaked to a third party, unless thedistribution of the certificate is limited so as to keep a secret. Themanners of encrypting and storing a template are described below.

A template may be stored and encrypted in various manners as describedbelow.

1) The template is stored without being encrypted.

2) The template is encrypted using the public key of the user(identified by the person identification certificate).

3) The template is encrypted using the symmetric key Kt, and thesymmetric key Kt is encrypted using the public key of the user.

4) The template is encrypted using a public key of a service provider(SP) (which identifies a user to which a service is to be provided, bymeans of using a person identification certificate).

5) The template is encrypted using the symmetric key Kt and thesymmetric key Kt is encrypted using the public key of the serviceprovider (SP).

6) The template is encrypted using the public key of the personidentification certificate authority (IDA).

7) The template is encrypted using the symmetric key Kt, and thesymmetric key Kt is encrypted using the public key of the personidentification certificate authority (IDA).

The template may be stored after being encrypted or without beingencrypted in one of the above manners, each of which will be describedin further detail below with reference to FIGS. 6, 7, and 8. FIG. 6Aillustrates an example in which a template is not encrypted, and datarepresenting biometric information such as a fingerprint acquired via aperson identifying apparatus is directly stored as template informationin a person identification certificate (IDC).

FIG. 6B illustrate an example in which encryption and decryption areperformed using only a public key, wherein in encryption shown in FIG.6B, a template of a user acquired as identification information via aperson identifying apparatus is encrypted using a public key of the useror a user device, a public key of a service provider (SP) (whichidentifies a user to which a service is to be provided, by means ofusing a person identification certificate), or a public key of a personidentification certificate authority (IDA). Encryption may be performedin accordance with, for example, the elliptic curve cryptography (ECC)or the RSA (Rivest-Shamir-Adleman) cryptography. The encrypted templateis stored in the person identification certificate (IDC), together withthe identifier (unique ID) of the public key and data indicating theencryption algorithm employed in the encryption of the template.

The public key used herein is a public key which can be identified bythe unique ID of the public key. The unique ID of the public key isinformation which can identify a public key certificate, whereinspecific examples include a user ID and a user name stored in a publickey certificate. The public key used herein is selected, depending uponthe manner in which the person identification certificate (IDC) is used,from the group consisting of the public key of the user, the public keyof the service provider (SP) (which identifies a user to which a serviceis to be provided, by means of using a person identificationcertificate), and the public key of the person identificationcertificate authority (IDA).

FIG. 7 shows various manners of using a public key to encrypt atemplate. In the case of a person identification certificate (IDC) inwhich a public key of a user or a user device is used to encrypt atemplate, an example of usage of the person identification certificate(IDC) is to identify a particular user who is authorized to use a userdevice (such as a PC). When a user wants to use a PC, the templatestored in the person identification certificate (IDC) is decrypted usingthe private key of the user and is compared with an input template toverify the authenticity of the user.

An example of usage of a person identification certificate (IDC) inwhich a template is encrypted using a public key of a service provideris to identify a particular user to whom a service is to be provided bythe service provider. The service provider extracts the encryptedtemplate information from a person identification certificate (IDC) ofan user, which is stored in the service provider or transmitted from theuser or the person identification certificate authority (IDA), and theservice provider decrypts the encrypted template information using theprivate key of the service provider. The service provider then comparesthe decrypted template with sampling information (such as fingerprintdata) presented by a person to be verified.

A person identification certificate (IDC) in which a template isencrypted using a public key of the person identification certificate(IDC) is used, for example, in data transmission between terminals, toidentify transmitting and receiving users on the basis of the personidentification certificate (IDC) issued by the person identificationcertificate authority (IDA). As described above, the templateinformation is encrypted in a different manner depending upon the usageof the person identification certificate (IDC).

FIG. 6C shows a process of decrypting a template encrypted with a publickey. An encrypted template is extracted from a person identificationcertificate (IDC), and then data indicating the encryption algorithm andthe unique ID of a public key are extracted. Furthermore, a private keycorresponding to the public key specified by the public key unique ID isextracted, and the encrypted template is decrypted using the extractedprivate key thereby extracting the template. Each entity which executesthe person verification, such as a user device or a service providerwhich verifies an user, includes an encryption unit for decrypting andencrypting data.

FIGS. 8A and 8B are diagrams each illustrating a manner of encryptingand decrypting a template of a person identification certificate, usinga symmetric key and a public key. FIG. 8A illustrates an encryptingprocess. First, for example, in a person identification certificateauthority (IDA) which wants to generate encrypted template information,a symmetric key is generated using a random number, and a template inputvia a person identifying apparatus is encrypted using the symmetric key.Furthermore, a public key employed, that is, one of a public key of theuser or of a user device, a public key of a service provider (SP), and apublic key of the person identification certificate authority (IDA) isencrypted using the symmetric key. The public key is selected dependingupon the usage manner described above with reference to FIG. 7.

The resultant encrypted template and encrypted symmetric key are storedin the person identification certificate (IDC) together with theidentifier (unique ID) of the public key and the data indicating theencryption algorithm applied to the encryption of the template and theencryption of the symmetric key.

FIG. 8B illustrates a decrypting process using the symmetric key and theprivate key. The encrypted template is extracted from the encryptedtemplate information of the person identification certificate (IDC).Furthermore, the encrypted symmetric key, the data indicating theencryption algorithm, and the public key unique ID are extracted. Theencrypted symmetric key is decrypted using the private key specified bythe public key specified by the public key unique ID, and the encryptedtemplate is decrypted using the symmetric key obtained via the abovedecryption process, thereby extracting the template.

[3. Registration and Change of Template and Person IdentificationCertificate (IDC)]

Processes of registering, deleting, changing, adding, suspending, andcanceling of suspension of a person identification certificate (IDC) inwhich data is described in the above-described manner are describedbelow. Herein, the suspending of an IDC is a process of temporarilyinvalidating the IDC, and the canceling of suspension is a process ofre-validating the temporarily suspended IDC.

(3.1 Registration of Template)

To effectively register a person identification certificate (IDC), aperson to be certified with a person identification certificate (IDC)first presents sampling information to register his/her template. Asdescribed earlier, an example of template information is biometricinformation of a person such as fingerprint information, retina patterninformation, iris pattern information, voice print information, andhandwriting information. Personal identification information other thanbiometric information is also usable. Specific examples of such personalidentification information includes a seal, a passport, a driver'slicense, and a card. Any combination of the personal identificationinformation described above can also be used. Furthermore, a combinationof a password and any personal identification described above may alsobe used. That is, information that only a person himself/herself canpossess is used as the person identification information.

FIG. 9 illustrates a flow in terms of registration of a template andcreation of an IDC. Registration of a template is performed on the basisof information (sampling information) acquired using an apparatuscapable of acquiring personal information in one of the various formsdescribed earlier. For example, in the case where fingerprintinformation is used as a template, a fingerprint reading apparatus isused, while a voice print acquisition apparatus is used in the casewhere voice print information is used as a template (S11). The acquireddata is transmitted online or offline to a person identificationcertificate authority (IDA) (S12). A user transmits his/her personalinformation (PIN) identifying the user to the person identificationcertificate authority (IDA) (S13).

In the case where the data described above are transmitted online,mutual authentication is performed between the device of the user andthe person identification certificate authority (IDA), wherein data istransmitted together with a digital signature, and the signature isverified at a receiving end. The person identification certificateauthority (IDA) checks the data to confirm that the data has not beentempered with, identifies the user, and verifies the data (S14). If itis determined that the data is not valid, error handling is performed(S17) without performing registration.

In the registration of the template, the person identificationcertificate authority (IDA) verifies the identification of the user onthe basis of user identification data which identifies the user. Theperson identification certificate authority (IDA) also acquires personalinformation such as an address or a telephone number, as required. Afterverifying the identification of the user and the verifying othernecessary data, the person identification certificate authority (IDA)assigns a person identifier to the template and stores it in a database(S15). The person identification certificate authority (IDA) encryptsthe template using the public key of the person identificationcertificate authority (IDA) and creates a person identificationcertificate (IDC) in which the encrypted template is stored (S16). Thekey used to encrypt the template stored in the IDC may be differentdepending upon the location where the IDC is used, that is, dependingupon the entity which executes authentication of a person. For example,a public key of a service provider or a user device is used dependingupon the situation.

(3.2 Deleting of Template)

A template registered in a person identification certificate authority(IDA) may be deleted by performing a template deleting process. Thedeleting process is performed in response to a deleting request issuedby an user. FIG. 10 shows a flow of the template deleting process. Whena user requests deletion of a template (S21), the user submits his/heridentification data which identifies the user to a person identificationcertificate authority (IDA) (S22). Furthermore, the user transmitshis/her personal information (PIN) used for identification to the personidentification certificate authority (IDA) (S23).

In the case where the data described above are transmitted online,mutual authentication is performed between the device of the user andthe person identification certificate authority (IDA), wherein data istransmitted together with a digital signature, and the signature isverified at a receiving end. The person identification certificateauthority (IDA) checks the data to confirm that the data has not beentempered with, identifies the user, and verifies the data (S24). If itis determined that the data is not valid, error handling is performed(S27) without performing the deleting process.

After identifying the user on the basis of the person identificationdata to confirm that the request has been issued by the userhimself/herself (S24), the person identification certificate authority(IDA) deletes the requested template and the associated personidentification data and other additional information (S25). Furthermore,the person identification certification authority (IDA) deletes theperson identification certificate (IDC) in which the template waspresent, and registers the deleted IDC in a revocation list (S26). Morespecifically, the IDC identifier corresponding to the deleted IDC isregistered in the revocation list.

(3.3 Changing of Template)

A template registered in a person identification certificate authority(IDA) may be changed by performing a template changing process. FIG. 11illustrates a flow of the template changing process. A user submits atemplate changing request to a person identification certificateauthority (IDA) (S31), creates sampling information or the like used tocreate a new template (S32), and transmits identification dataidentifying the user and additional information (PIN) as required to theperson identification certificate authority (IDA) (S33, S34). The personidentification certificate authority (IDA) identifies the user on thebasis of the identification data (S35), deletes the personidentification certificate (IDC) based on the current template (S36),and registers the deleted IDC in the revocation list (S37). Furthermore,the person identification certificate authority (IDA) assigns anidentification number to the new template and stores it in the database(S38), encrypts the template using the public key of the personidentification certificate authority (IDA), and creates a personidentification certificate (IDC) in which the encrypted template isstored (S39). In on-line data communication between the user device andthe person identification certificate authority (IDA), mutualauthentication, addition of a signature to data to be transmitted, andverification of the signature are performed in a similar manner to theprocesses described above.

(3.4 Addition of Template)

A user may add another identification data as an additional template tothe template which has been already registered in a personidentification certificate authority (IDA). FIG. 12 illustrates thetemplate addition process. A user issues a template addition request toa person identification certificate authority (IDA) (S41), creates a newtemplate using a template acquisition apparatus (S42), and transmits ittogether with identification data to the person identificationcertificate authority (IDA) (S43, S44). The person identificationcertificate authority (IDA) verify the received identification data(S45) to authenticate the user, assigns a person identifier (number) tothe template to be added and stores it in the database (S46), encryptsthe template to be added using the public key of the personidentification certificate authority (IDA), and creates a personidentification certificate (IDC) in which the encrypted template isstored (S47). In on-line data communication between the user device andthe person identification certificate authority (IDA), mutualauthentication, addition of a signature to data to be transmitted, andverification of the signature are performed in a similar manner to theprocesses described above.

(3.5 Suspension of Template)

A template registered in a person identification certificate authority(IDA) may be suspended temporarily in response to a suspension requestissued from an user. FIG. 13 illustrates a flow of a template suspensionprocess. If a user issues a template suspension request to a personidentification certificate authority (IDA) (S51) and submitsidentification data and addition data to the person identificationcertification authority (IDA) (S52, S53), the person identificationcertificate authority (IDA) identifies the user on the basis of theidentification data (S54) and suspends the validity of the requestedtemplate of the user and the associated identification data andadditional information (S55). In this suspension process, the personidentification certificate authority (IDA) also revokes the personidentification certificate (IDC) of that user and registers it in therevocation list (S56). More specifically, the IDC identifiercorresponding to the deleted IDC is registered in the revocation list.In on-line data communication between the user device and the personidentification certificate authority (IDA), mutual authentication,addition of a signature to data to be transmitted, and verification ofthe signature are performed in a similar manner to the processesdescribed above.

(3.6 Cancellation of Suspension of Template)

A template whose validity was suspended via the suspension process maybe re-validated in response to a suspension cancel request issued by anuser. FIG. 14 illustrates a template suspension canceling process. Auser issues a template suspension cancel request to a personidentification certificate authority (IDA) (S61) and submitsidentification data and additional information to the personidentification certificate authority (IDA) (S62, S63). After verifyingidentification of the user on the basis of the identification data(S64), the person identification certificate authority (IDA) cancels thesuspension of validity of the requested template of the user and theassociated identification data and additional information (S65).Furthermore, the person identification certificate authority (IDA)removes the person identification certificate (IDC) of that user fromthe revocation list (S66). More particularly, the corresponding IDCidentifier is removed from the revocation list. In on-line datacommunication between the user device and the person identificationcertificate authority (IDA), mutual authentication, addition of asignature to data to be transmitted, and verification of the signatureare performed in a similar manner to the processes described above.

(3.7 Distribution of Person Identification Certificate (IDC))

Distribution of a person identification certificate (IDC) created on thebasis of a template registered after being supplied from a user isdescribed below.

FIG. 15 illustrates a flow of a process of distributing a personidentification certificate (IDC) to service providers (SPs). A serviceprovider who wants to use a person identification certificate (IDC)makes, in advance, a contract including a rule of using IDCs with aperson identification certificate authority (IDA) (S71). Thereafter,mutual authentication is performed between the person identificationcertificate authority (IDA) and the service provider (SP) (S72). Themutual authentication may be performed, for example, via a process usingsymmetric key encryption or public key encryption.

If a success is achieved in mutual authentication, the service provider(SP) transmits to the person identification certificate authority (IDA)a request for issuing person identification certificate (IDC) togetherwith user identification data or data indicating the name of a user towhom a service is to be provided and also data indicating the desiredpolicy of the person identification certificate (IDC) (S73). The personidentification certificate authority (IDA) verifies the personidentification certificate issuing request (S74), sets the policy of theperson identification certificate (IDC) in accordance with the usagerule (S75), extracts the requested person identification certificate(IDC) of the user from the database, decrypts the user templateencrypted with the public key of the person identification certificateauthority (IDA), encrypts the user template using the public key of theservice provider (S76), creates a person identification certificate(IDC) according to the policy (S77), and supplies the created IDC to theservice provider (SP) (S78). In the case where the template stored inthe database is not encrypted, or in the case where encryption is notrequired, the encryption of the template is not necessary.

(3.8 Updating of Person Identification Certificate (IDC))

Now, a process of updating a person identification certificate (IDC)created on the basis of a registered template of a user is describedbelow. In most cases, updating is performed to reset the validity periodof a person identification certificate (IDC) being used.

FIG. 16 illustrates a flow performed in response to a personidentification certificate (IDC) updating request issued from a serviceprovider (SP). A service provider who wants to use a personidentification certificate (IDC) makes, in advance, a contract includinga rule of using IDCs with a person identification certificate authority(IDA) (S81). Thereafter, mutual authentication is performed between theperson identification certificate authority (IDA) and the serviceprovider (SP) (S82). The mutual authentication may be performed, forexample, via a process using symmetric key encryption or public keyencryption.

If a success is achieved in the mutual authentication, the serviceprovider (SP) transmits to the person identification certificateauthority (IDA) a request for updating a desired person identificationcertificate (IDC) (S83). The person identification certificate authority(IDA) verifies the updating request (S84), sets the policy of the personidentification certificate (IDC) in accordance with the usage rule(S85), extracts the requested person identification certificate (IDC) ofthe user from the database, decrypts the user template encrypted withthe public key of the person identification certificate authority (IDA),encrypts the user template using the public key of the service provider,creates a person identification certificate (IDC) according to thepolicy (S86), sets the validity period, and supplies the created IDC tothe service provider (SP) (S87). In the case where the template storedin the database is not encrypted, or in the case where encryption is notrequired, the encryption of the template is not necessary.

(3.9 Deleting of Person Identification Certificate (IDC))

Deleting of a person identification certificate (IDC) created on thebasis of a template registered after being supplied from a user isdescribed below.

FIG. 17 illustrates a process performed in response to a personidentification certificate (IDC) deleting request issued by an user.When a user wants to delete a person identification certificate (IDC),the user transmits to a person identification certificate authority(IDA) a request for deleting a particular person identificationcertificate (IDC) (S91). The person identification certificate authority(IDA) verifies the deleting request (S92) and deletes the specifiedperson identification certificate (IDC) (S93).

(3.10 Inquiring about Person Identification Certificate (IDC))

Inquiring about a person identification certificate (IDC) created on thebasis of a template registered after being supplied from a user isdescribed below. Inquiring is performed, for example, when a serviceprovider (SP), who does not have a person identification certificate(IDC), transmits sampling data received from a user to a personidentification certificate authority (IDA) to inquire about theauthenticity of the user. In response to the inquiry, the personidentification certificate authority (IDA) verifies the authenticity ofthe user on the basis of the person identification certificate (IDC)stored in the person identification certificate authority (IDA), and theperson identification certificate authority (IDA) returns only theauthentication result to the service provider.

FIG. 18 illustrates a flow of a process performed in response to aperson identification certificate (IDC) inquiry request issued by aservice provider (SP). A service provider, who wants to make an inquiryin terms of a person identification certificate (IDC), makes a contractincluding an usage rule of person identification certificates (IDCs)with a person identification certificate authority (IDA) (S01).Thereafter, mutual authentication is performed between the personidentification certificate authority (IDA) and the service provider (SP)(S02). The mutual authentication may be performed, for example, via aprocess using symmetric key encryption or public key encryption.

If a success is achieved in the mutual authentication, the serviceprovider (SP) transmits to the person identification certificateauthority (IDA) a request for inquiry about a person identificationcertificate (IDC) of a particular user together with sampling data orthe like of that user (S03, S04). The person identification certificateauthority (IDA) verifies the inquiry request (S05), verifies thereceived sampling data on the basis of the corresponding personidentification certificate (IDC) (S06), and transmits a verificationresult (OK or NG) to the service provider (SP) (S07).

[4. Basic Manners of Using Person Identification Certificate (IDC)]

Basic manners of using a person identification certificate (IDC) aredescribed below. In particular, relationships between a certificateauthority (CA) which issues a public key certificate (PKC), a personidentification certificate authority (IDA) which issues a personidentification certificate (IDC), and a device which uses thosecertificates are described.

FIGS. 19 and 20 illustrate two examples of systems including acertificate authority (CA) which issues a public key certificate (PKC),a person identification certificate authority (IDA) which issues aperson identification certificate (IDC), and a device which uses thosecertificates. In the example shown in FIG. 19, a comparison betweensampling information and a template of a person identificationcertificate (IDC) is made by a person identification certificateauthority (IDA), while a comparison between sampling information and atemplate of a person identification certificate (IDC) is made by aservice provider (SP) or a user device (UD) in the example shown in FIG.20.

In FIG. 19, the user device (UD) or the service provider (SP) 300includes a sampling information processing unit 310 for acquiringpersonal information such as fingerprint data of various users andprocessing the acquired personal information, wherein the samplinginformation processing unit 310 includes a personal informationacquisition unit 314 for acquiring sampling information, an informationconverter 313 for converting fingerprint data or the like into a code,and a communication unit 312 for transmitting the converted code to aperson identification certificate authority 320, and wherein thesampling information processing unit 310 stores a public key certificatefor use in encryption/decryption of data in various communicationprocesses. A controller 311 controls the operations of the personalinformation acquisition unit 314, the information converter 313, and thecommunication unit 312.

The person identification certificate authority (IDA) 320 includes acomparator 321 and storage means 322, wherein the comparator comparessampling data received from the user device (UD) or the service provider(SP) 300 with a template, stored in the storage means, of a user to becertified (preferably, the template is encrypted and stored in theperson identification certificate). The storage means stores, inaddition to templates, data indicating the history of issuing personidentification certificates and data indicating the history ofcomparison.

A certificate authority (CA) 330 is an agency which issues a public keycertificate (PKC) of a user in response to a request from the user,wherein the public key certificate includes a signature of thecertificate authority. The certificate authority stores and manages dataindicating the history of issuing public key certificates and theverification history.

If the person identification certificate authority (IDA) 320 receivessampling information from the user device (UD) or the service provider(SP) 300, the person identification certificate authority (IDA) 320compares the received sampling information with a stored template,wherein an OK or NG message is transmitted as a comparison result to theuser device (UD) or the service provider (SP) 300 depending upon whetherthe received sampling information matches with the stored template.Herein, a verification certificate in a predetermined format may beissued, as will be described later. In the case where a verificationcertificate is issued, the person identification certificate authoritydescribes the history of issuing verification certificates.

Communication among the certificate authority (CA), the personidentification certificate authority (IDA) 320, and the user device (UD)or the service provider (SP) 300 is performed only when a success isachieved in mutual authentication, wherein it is desirable that secretdata be encrypted using a session key created via the mutualauthentication or using public keys of two parties.

In the case of the system shown in FIG. 20, a comparison betweensampling information and a template of a person identificationcertificate (IDC) is made by a service provider (SP) or a user device(UD).

The user device (UD) or the service provider (SP) 400 shown in FIG. 20includes a verification system 410 for acquiring personal informationsuch as fingerprint of various users and performing verification,wherein the verification system 410 includes a general memory 413 forstoring person identification certificates, a person identificationcertificate verification unit 414 for checking whether a personidentification verification has been tempered with, a templatedecryption unit 415 for decrypting an encrypted template described in aperson identification certificate, a personal information acquisitionunit 418 for acquiring sampling information such as fingerprint data, aninformation converter 417 for converting fingerprint data or the likeinto a code, a comparator 416 for comparing the decrypted template withthe coded sampling information, a communication unit 411 forcommunication with a person identification certificate authority 420,and an encryption/decryption unit 419 including a signature generatorand storing public key certificates and a public key for use inencryption/decryption of data in various communication processes. Acontroller 412 controls the operation of the respective units.

The person identification certificate authority (IDA) 420 includes aperson identification certificate issuing unit 421 and a storage means422, and the person identification certificate authority (IDA) 420issues a person identification certificate in which a template of aperson to be certified is stored, in response to a request from the userdevice (UD) or the service provider (SP) 400. The storage means 422stores templates, person identification certificates, data representingthe history of issuing person identification certificates, and datarepresenting the history of verification.

A certificate authority (CA) 430 is an agency which issues a public keycertificate (PKC) of a user in response to a request from the user,wherein the public key certificate includes a signature of thecertificate authority. The certificate authority stores and manages dataindicating the history of issuing public key certificates and theverification history.

As in the system shown in FIG. 19, communication among the certificateauthority (CA), the person identification certificate authority (IDA)320, and the user device (UD) or the service provider (SP) 300 isperformed only when a success is achieved in mutual authentication,wherein it is desirable that secret data be encrypted using a sessionkey created via the mutual authentication or using public keys of twoparties.

[5. Authentication Using Person Identification Certificate (IDC)]

Various manners of authentication using a person identificationcertificate (IDC) are described below. The authentication using a personidentification certificate (IDC) can be classified into two modesdescribed below.

(5.1 On-line Mode)

Static IDC Verification

A template of a person identification certificate (IDC) is encryptedusing a public key of a site at which verification is performed, such asa person identification certificate authority (IDA), a service provider(SP), or a user device (PC), and is registered and stored in a personidentification certification authority (IDA). In response to a requestfrom the service provider (SP) or the user device (PC), the personidentification certificate authority (IDA) supplies the IDC forverification.

Dynamic IDC Verification

A template of a person identification certificate (IDC) is encryptedusing a public key of a person identification certificate authority(IDA) and registered in the IDA. In response to a request from a serviceprovider (SP) or a user device (PC), the template is re-encrypted usinga public key of a site such as the SP or the PC at which verification isperformed, that is, using a public key of an entity which performsperson verification, and the person identification certificate (IDC) isdynamically distributed for verification.

(5.2 Off-Line Mode)

Static IDC Verification

A template of a person identification certificate (IDC) is encryptedusing a public key of a site at which verification is performed, such asa person identification certificate authority (IDA), a service provider(SP), or a user device (PC), that is, using a public key of an entitywhich performs person verification, or a template is encrypted using asymmetric key and this symmetric key is encrypted using a public key ofa person identification certificate authority (IDA), a service provider(SP) or a user device (PC) and is registered in a person identificationcertificate authority (IDA) and distributed to each user. When personverification is performed, an IDC and sampling information aretransmitted to a site at which verification is performed. Theverification processes in the respective modes are described below.

(5.1.1 On-Line Mode Static Verification)

In on-line mode static verification, when sampling data input by aperson is compared, for verification, with a template of a personidentification certificate (IDC), the person identification certificate(IDC) is dynamically issued by a person identification certificateauthority (IDA), and comparison for verification is performed in asystem, that is, by a user device (PC), a service provider (SP), or aperson identification certificate authority (IDA). That is, a comparisonbetween sampling data input by a person and a template of a personidentification certificate (IDC) is made by an entity which executes aperson verification process. The person identification certificateauthority (IDA) retrieves, from a database, template informationencrypted with a public key of a system which performs comparison andtransmits the retrieved template information to the system, at whichinput sampling data is compared with the template obtained by decryptingthe received IDC thereby identifying the person.

FIGS. 21A to 21C are diagrams illustrating manners of performingverification by a system such as a user device (such as a PC), a serviceprovider (SP), or a person identification certificate authority (IDA).Data transfer among the respective systems including the user device,the service provider (SP), and the person identification certificateauthority (IDA) shown in FIGS. 21A to 21C is performed, basically, onlywhen a success is achieved in mutual authentication between atransmitting system and a receiving device, wherein the data istransmitted after being encrypted using a session key created via theauthentication process.

FIG. 21A shows an example in which comparison for verification isperformed by a user device. A person identification certificateauthority (IDA) stores a person identification certificate (IDC)including a template encrypted using a public key of the user device,wherein when the user device performs verification, the user deviceacquires a person identification certificate (IDC) of a person to beauthenticated by requesting the person identification certificateauthority (IDA) to provide the person identification certificate (IDC)of that person.

The acquisition of the person identification is performed, for example,such that the user device transmits to the person identificationcertificate authority (IDA) the unique ID of the public key certificate(PKC) of the user to be authenticated or the user device, and the personidentification certificate authority (IDA) extracts the correspondingIDC of the person from the stored IDCs in accordance with the receivedunique ID and transmits the extracted IDC to the user device. Public keycertificates (PKC) and person identification certificates (IDCs) may belinked in various manners. IDC identification data depending upon themanner of forming the link is transmitted from a user device to a personidentification certificate authority (IDA), and the personidentification certificate authority (IDA) retrieves a personidentification certificate (IDC) using the received data as a key. Themanners of linking public key certificates (PKC) and personidentification certificates (IDCs) will be described in further detaillater.

The user device acquires a template by decrypting, using a private keyof the user device, an encrypted template in a person identificationcertificate (IDC) received from the person identification certificateauthority (IDA) and performs verification by comparing the acquiredtemplate with personal data, for example, sampling data such asfingerprint data acquired via a sampling data extracting apparatus.Depending upon whether they match with each other, verification isconcluded as OK or NG. It is required that the sampling data and thetemplate stored in the IDC should be of the same type. For example, whenone of them is fingerprint data, the other one should also befingerprint data. When one is iris data, the other should be iris data.A plurality of different identification data may be stored as templatesin a person identification certificate (IDC), and input sampling datamay be regarded as valid when the input sampling data matches with oneof the plurality of identification data.

Only when verification is successfully passed, for example, a particularapplication program installed on the user device is allowed to beexecuted to perform data processing such as accessing to a database,updating of data, or inputting of data. If verification fails, executionof data processing is not allowed. In this case, the user device servingas a data processing apparatus having the comparison/verificationcapability is the entity which requests person authentication andexecutes person authentication.

In the system shown in FIG. 21B, comparison for verification isperformed by a service provider (SP). A person identificationcertificate authority (IDA) stores a person identification certificate(IDC) including a template encrypted using a public key of the serviceprovider (SP), wherein when the service provider performs verification,sampling information of a person to be verified and a public keycertificate (PKC) of that person are transmitted to the service provider(SP) from a user device. In the case where the service provider (SP)already has the PKC, identification data identifying the PKC may betransmitted. It is desirable that sampling data be transmitted to theservice provider (SP) after encrypting the sampling data using a sessionkey created via mutual authentication or using the public key of theservice provider (SP), so that the sampling data can be decrypted byonly the service provider (SP). In this system, the entity whichrequests verification of a person is the user device, and the entitywhich executes the verification of the person is a service providerwhich provides a service to the user device.

The service provider (SP) transmits the unique ID of a public keycertificate (PKC) of a person or a user device to the personidentification certificate authority (IDA) to request the personidentification certificate authority (IDA) to provide a personidentification certificate (IDC) of the person to be verified. Inaccordance with the received unique ID, the person identificationcertificate authority (IDA) retrieves the IDC of the person from thestored IDCs and transmits the retrieved IDC to the service provider(SP). Herein, the IDC includes a template encrypted using a public keyof the service provider (SP).

The service provider (SP) acquires the template by decrypting, using theprivate key of the service provider (SP), the encrypted templateincluded in the person identification certificate (IDC) received fromthe person identification certificate authority (IDA), and the serviceprovider (SP) performs verification by comparing the template with datawhich is obtained by decrypting encrypted sampling data such asfingerprint data which is acquired via a sampling data extractingapparatus and transmitted from the user device. Depending upon whetherthey match with each other, verification is concluded as OK or NG. Theverification result (OK or NG) is transmitted to the user device, and,depending upon the verification result, it is determined whether or notthe following process such as requesting the service provider (SP) totransmit a content or requesting for viewing of data should be allowed.

In the system shown in FIG. 21C, comparison for verification isperformed by a person identification certificate authority (IDA). Theperson identification certificate authority (IDA) stores a personidentification certificate (IDC) including a template encrypted using apublic key of the person identification certificate authority (IDA).When the person identification certificate authority (IDA) performsverification, sampling information of a person to be verified and apublic key certificate (PKC) of that person or of a user device aretransmitted to the person identification certificate authority (IDA) viaa service provider (SP). In the case where the person identificationcertificate authority (IDA) already has the PKC, identification dataidentifying the PKC may be transmitted. It is desirable that thesampling data be transmitted to the person identification certificateauthority (IDA) after being encrypted using a public key of the personidentification certificate authority (IDA) so that the sampling data canbe decrypted only by the person identification certificate authority(IDA). In this system, the entity which requests verification of aperson is the user device or the service provider, and the entity whichexecutes the verification of the person is the person identificationcertificate authority (IDA).

The person identification certificate authority (IDA) retrieves the IDCof the person of interest from the stored IDCs on the basis of theunique ID of the public key certificate (PKC) and acquires the templateby decrypting the encrypted template included in the personidentification certificate (IDC) using the private key of the personidentification certificate authority (IDA), and furthermore, the personidentification certificate authority (IDA) performs verification bycomparing the template with data which is obtained by decryptingencrypted sampling data such as fingerprint data which is acquired via asampling data extracting apparatus and transmitted from the user devicevia the service provider (SP). Depending upon whether they match witheach other, verification is concluded as OK or NG. The verificationresult (OK or NG) is transmitted to the service provider (SP) and theuser device, and, depending upon the verification result, it isdetermined whether or not the following process such as requesting bythe user device the service provider (SP) to transmit a content orrequesting for viewing of data should be allowed.

(5.1.2 On-Line Mode Dynamic Verification)

In on-line mode dynamic verification, when sampling data input by aperson is compared, for verification, with a template of a personidentification certificate (IDC), the person identification certificate(IDC) is dynamically issued by a person identification certificateauthority (IDA), and comparison for verification is performed in asystem, that is, by a user device (PC), a service provider (SP), or aperson identification certificate authority (IDA). The templateinformation encrypted with the public key of the person identificationcertificate authority (IDA) is decrypted by the person identificationcertificate authority (IDA) and the IDC is transmitted, after beingre-encrypted using a public key of a system at which verification is tobe performed, to the system, at which the template is decrypted andcompared with input sampling data thereby identifying a person.

FIG. 22 shows a system in which comparison for verification is performedby a user device. A person identification certificate authority (IDA)stores a person identification certificate (IDC) including a templateencrypted using a public key of the person identification certificateauthority (IDA), wherein when the user device performs verification, theuser device acquires a person identification certificate (IDC) of aperson to be authenticated by requesting the person identificationcertificate authority (IDA) to provide the person identificationcertificate (IDC) of that person.

In the process of acquiring the person identification certificate (IDC),a public key certificate (PKC) of a person to be certificated or of auser device, or the unique ID of the public key certificate (PKC) if theperson identification certificate authority (IDA) already has the publickey certificate (PKC) of that user or the user device, is transmitted tothe person identification certificate authority (IDA) from the userdevice, and the person identification certificate authority (IDA)retrieves the IDC of the person from the stored IDCs on the basis of thereceived unique ID or the unique ID extracted from the PKC.

The person identification certificate authority (IDA) decrypts theencrypted template extracted from the retrieved IDC using the privatekey of the person identification certificate authority (IDA),re-encrypts the template using the public key of the user device,re-issues the person identification certificate (IDC), and transmits there-issued IDC to the user device.

The user device acquires the template by decrypting, using the privatekey of the user device, the encrypted template included in the personidentification certificate (IDC) received from the person identificationcertificate authority (IDA), and the user device performs verificationby comparing the acquired template with personal data, for example,sampling data such as fingerprint data acquired via a sampling dataextracting apparatus. Depending upon whether they match with each other,verification is concluded as OK or NG. Only when verification issuccessfully passed, for example, a particular application programinstalled on the user device is allowed to be executed to perform dataprocessing such as accessing to a database, updating of data, orinputting of data. If verification fails, execution of data processingis not allowed.

FIG. 23 shows a system in which comparison for verification is performedby a service provider (SP). A person identification certificateauthority (IDA) stores a person identification certificate (IDC)including a template encrypted using a public key of the personidentification certificate authority (IDA). When verification isperformed in the service provider (SP), the service provider (SP)transmits a public key certificate (PKC) of the service provider (SP) tothe person identification certificate authority (IDA). In the case wherethe person identification certificate authority (IDA) already has thePKC of the service provider (SP), identification data identifying thePKC may be transmitted.

Thereafter, a public key certificate (PKC) of a person to be verified orof a user device is transmitted from the user device to the personidentification certificate authority (IDA) via the service provider(SP). In the case where the person identification certificate authority(IDA) already has the PKC of the user device, identification dataidentifying the PKC may be transmitted.

The person identification certificate authority (IDA) retrieves the IDCof the person from the stored IDCs on the basis of the received uniqueID and decrypts the encrypted template included in the retrieved IDC,using the private key of the person identification certificate authority(IDA), re-encrypts the template using the public key of the serviceprovider (SP), re-issues the person identification certificate (IDC),and transmits the re-issued IDC to the service provider (SP).

The service provider (SP) acquires the template by decrypting, using theprivate key of the service provider (SP), the encrypted templateincluded in the person identification certificate (IDC) received fromthe person identification certificate authority (IDA), and the serviceprovider (SP) performs verification by comparing the template with datawhich is obtained by decrypting encrypted sampling data such asfingerprint data which is acquired via a sampling data extractingapparatus and transmitted from the user device. Depending upon whetherthey match with each other, verification is concluded as OK or NG. Theverification result (OK or NG) is transmitted to the user device, and,depending upon the verification result, it is determined whether or notthe following process such as requesting a service provider (SP) totransmit a content or requesting for viewing of data should be allowed.

(5.2 Off-Line Mode)

In the off-line mode, verification is performed statically, unlike theon-line mode in which a person identification certificate authority(IDA) dynamically issues a person identification certificate (IDC) whenthe IDC is required in verification of sampling information. Therefore,person authentication is performed in a different manner depending uponthe encryption algorithm used to encrypt the template informationincluded in the person identification certificate (IDC) and alsodepending upon the location where comparison for verification isperformed. In the off-line mode, because an encrypted template includedin a person identification certificate (IDC) is decrypted by a devicesuch as a user device or a service provider (SP) which performscomparison for verification, it is necessary that the encryption of thetemplate be performed such that the user device or the service provider(SP) can decrypt the encrypted template.

In the off-line mode, static verification is performed as describedbelow.

(5.2.1) Verification Performed by Device

a. Verification is performed by a user device in which both a personidentification certificate (IDC) and a public key certificate (PKC) arestored.

b. Verification is performed by a user device in which both a personidentification certificate (IDC) and a public key certificate (PKC) arenot stored.

(5.2.2) Verification Performed by Service Provider

c. Verification is performed by a service provider when templateinformation included in a person identification certificate (IDC) isencrypted using a public key of the service provider (SP).

d. Verification is performed by a service provider when templateinformation included in a person identification certificate (IDC) isencrypted using a public key of a user device or a symmetric key.

The manners of verification are described below in further detail below.

(5.2.1) Verification Performed by Device

a. In the case where verification is performed by a user device in whichboth a person identification certificate (IDC) and a public keycertificate (PKC) are stored.

A user device can include both an IDC and a PKC, for example, when theuser device is designed to execute a process of comparing samplinginformation with a template included in a person identificationcertificate (IDC), provided that a person identification certificate(IDC) of a user to be authenticated and a public key certificate (PKC)exist, template information included in the person identificationcertificate (IDC) is encrypted using a public key of the devicedescribed in the public key certificate (PKC), and the public keycertificate (PKC) can be specified by the person identificationcertificate (IDC). When comparison for verification is performed, theencryption algorithm of the template included in a person identificationcertificate (IDC) and a public key certificate (PKC) describing a publickey used as an encryption key are detected, and a private keycorresponding to the detected public key is then detected and thetemplate is decrypted using the private key.

FIG. 24 is a diagram illustrating a verification process performed by auser device storing an IDC and a PKC. The user device inputs personaldata, that is, sampling information such as fingerprint informationacquired via a sampling information acquisition apparatus. The userdevice reads a person identification certificate (IDC) stored in theuser device and detects a public key certificate (PKC) in which thepublic key applied to the encryption of the template is stored, on thebasis of the information about the template encryption algorithm.Furthermore, the user device detects the private key corresponding tothe detected public key. The private key is one element of a pair of thepublic key and the private key of the user device, and is stored in thesecure memory of the user device. Using this private key stored in thesecure memory, the encrypted template of the person identificationcertificate (IDC) is decrypted. Thereafter, the decrypted template iscompared with the sampling information.

Only when verification is successfully passed, for example, a particularapplication program installed on the user device is allowed to beexecuted to perform data processing such as accessing to a database,updating of data, or inputting of data. If verification fails, executionof data processing is not allowed.

b. In the case where an IDC and a PKC are not stored in the same device

In the case where a device is used by a great number of users (that is,in the case of a shared user device), it is difficult to store personidentification certificates (IDCs) of all users in the device. In such acase, the person identification certificate (IDC) of each user istransferred into the user device from a personal terminal (such as an ICcard or other mobile terminal), the process is performed on the basis ofthe transferred IDC. The process is performed in one of three mannersdescribed below.

(b-1) IDC stored in a personal terminal is transmitted to a shared userdevice to perform verification.

(b-2) Template information is decrypted by a personal terminal andtransmitted to a shared user device to perform verification.

(b-3) Verification is performed by a personal terminal.

The processes in the respective modes are described below.

(b-1) IDC stored in a personal terminal is transmitted to a shared userdevice to perform verification.

FIG. 25 is a diagram illustrating a system in which verification isperformed by transmitting a person identification certificate (IDC)stored in a personal terminal such as an IC card to a shared userdevice.

When a user wants to execute some data processing using an applicationprogram installed on the shared user device, the user inserts a mobileterminal such as an IC card into the shared user device. A personidentification certificate (IDC) issued by a person identificationcertificate authority (IDA) is stored in the IC card. In this mode, theshared user device is an entity which executes a person verificationprocess.

After inserting the mobile personal terminal such as an IC card into theshared user device, the person identification certificate (IDC) istransmitted from the mobile terminal to the shared user device. It isdesirable that, before transmitting the IDC, mutual authentication beperformed between the mobile terminal and the shared user device and theIDC is transmitted after being encrypted using a session key created inthe mutual authentication process.

Upon receiving the person identification certificate (IDC) from themobile terminal, the shared user device verifies the signature of theperson identification certificate authority (IDA) added to the IDC tocheck whether the IDC is tampered with. If it is determined that the IDChas not been tampered with (OK), the encrypted template information isextracted from the IDC. Note that the encryption of the template wasperformed using the public key of the shared user device or thesymmetric key. In the case where the template was encrypted using thepublic key of the shared user device, the template can be decryptedusing the private key of the shared user device.

In the case where the template was encrypted using the symmetric key,the process described in blocks surrounded by a broken line in FIG. 25is performed by the personal terminal. The symmetric key used to encryptthe template is encrypted using a public key of the personal terminaland stored in a person identification certificate (IDC). The personalterminal extracts the encrypted symmetric key from the personidentification certificate (IDC) and decrypts the symmetric key usingthe private key of the personal terminal. The obtained symmetric key istransmitted to the shared user device. It is desirable that thesymmetric key be transmitted after being encrypted using a session keycreated during the mutual authentication. Alternatively, the symmetrickey may be transmitted after being encrypted using the public key of theuser device.

The shared user device decrypts the encrypted template using the privatekey of the shared user device and the symmetric key, and compares thetemplate with sampling information input via the sampling informationacquisition apparatus.

(b-2) In the case where template information is decrypted by a personalterminal and transmitted to a shared user device to performverification.

FIG. 26 is a diagram illustrating a system in which verification isperformed by decrypting a person identification certificate (IDC) storedin a personal terminal such as an IC card and then transmitting thedecrypted IDC to a shared user device.

After a user inserts a mobile personal terminal such as an IC card intoa shared user device, a person identification certificate (IDC)decrypted by the mobile terminal is transmitted to the shared userdevice. Herein, the IDC includes template information which is encryptedwith a public key assigned to the particular mobile terminal of eachuser such that the encrypted template information can be decrypted usinga private key assigned to each mobile terminal. The encrypted templateinformation extracted from the IDC is decrypted using the private keyassigned to the mobile terminal and transmitted to the user device. Itis desirable that, before transmitting the template, mutualauthentication be performed between the mobile terminal and the shareduser device and the template is transmitted after being encrypted usinga session key created in the mutual authentication process.Alternatively, the template may be transmitted after being encryptedusing the public key of the user device.

Upon receiving the template from the mobile terminal, the shared userdevice extracts the template information and compares it with samplinginformation input via the sampling information acquisition apparatus.

(b-3) Verification performed by a personal terminal

FIG. 27 is a diagram illustrating a system in which verification isperformed by a personal terminal such as an IC card using a personidentification certificate (IDC) stored in the personal terminal andonly the result of the verification is transmitted to a shared userdevice.

When a user inserts a mobile personal terminal such as an IC card into ashared user device, an encrypted template included in a personidentification certificate (IDC) is decrypted by the mobile terminal.Herein, the IDC includes template information which is encrypted with apublic key assigned to the particular mobile terminal of each user suchthat the encrypted template information can be decrypted using a privatekey assigned to each mobile terminal. The encrypted template informationextracted from the IDC is decrypted using the private key assigned tothe mobile terminal.

Sampling information is acquired via a sampling information acquisitionapparatus and transmitted to the personal terminal such as an IC cardvia the user device. It is desirable that, before transmitting thesampling information, mutual authentication be performed between themobile terminal and the shared user device and the sampling informationis transmitted after being encrypted using a session key created in themutual authentication process. Upon receiving the sampling informationfrom the user device, the personal terminal compares the decryptedtemplate with the sampling information and returns the comparison resultto the user device. In this mode, the IC card employed as the mobileterminal is an entity which executes a person verification process.

(5.2.2) Verification Performed by Service Provider

Manners in which a service provider (SP) authenticates an use to whom aservice is to be provided are described below.

c. Verification performed by a service provider when templateinformation included in a person identification certificate (IDC) isencrypted using a public key of the service provider (SP).

First, a process performed when template information of a personidentification certificate (IDC) is encrypted using a public key of aservice provider (SP) is described below with reference to FIG. 28.

A user device, which wants to receive a service such as contentdistribution or settlement from a service provider (SP), acquires apersonal information such as a fingerprint of a user via a samplinginformation acquisition apparatus. Thereafter, mutual authentication isperformed between the user device and the service provider (SP). If themutual authentication is successfully completed, the user devicetransmits the sampling information to the service provider (SP). In thetransmission of the sampling information, the sampling information isencrypted using a session key created during the mutual authenticationor using a public key of the service provider. Furthermore, the userdevice transmits a person identification certificate (IDC) of the userdevice to the service provider (SP). The person identificationcertificate (IDC) includes template information encrypted using thepublic key of the service provider.

Upon receiving the sampling information and the person identificationcertificate (IDC) from the user device, the service provider (SP)decrypts the encrypted template information stored in the personidentification certificate (IDC), using the private key of the serviceprovider (SP) and compares the decrypted template information with thesampling information.

If they match with each other, the user is regarded as an authorizeduser, and the service provider provides a service such as contentdistribution or settlement to the user (user device). In the case wherethe verification by comparison fails, the user is regarded as anunauthorized user, and service is not provided.

d. Verification performed by a service provider when templateinformation included in a person identification certificate (IDC) isencrypted using a public key of a user device or a symmetric key.

When template information included in a person identificationcertificate (IDC) is encrypted using a public key of a user device or asymmetric key, user authentication may be performed by a serviceprovider (SP) as described below. In this case, user authentication maybe performed in one of the three modes described below.

(d-1) A symmetric key used by a user device to encrypt a template istransmitted to a service provider (SP) and the service provider (SP)performs comparison for verification.

(d-2) Template information is decrypted by a user device and transmittedto a service provider (SP) for use in verification.

(d-3) Comparison for verification is performed by a user device.

The processes in the respective modes are described below.

(d-1) IDC stored in a user device is transmitted to a shared userdevice, and the shared user device performs comparison for verification.

FIG. 29 is a diagram illustrating a system in which a personidentification certificate (IDC) stored in a user device is transmittedto a service provider (SP) and the service provider (SP) performscomparison for verification.

When a user of a user device wants to receive a service from a serviceprovider (SP), mutual authentication between the user device and theservice provider (SP) is performed. If the mutual authentication issuccessfully completed, a person identification certificate (IDC) of theuser is transmitted to the service provider. In the transmission of theIDC, the IDC is preferably encrypted using a session key created duringthe mutual authentication or using a public key of the service provider(SP).

Upon receiving the person identification certificate (IDC) from the userdevice, the service provider (SP) verifies a signature of a personidentification certificate authority (IDA) written in the IDC to checkwhether or not the IDC has been tampered with. If it is determined thatthe IDC has not been tampered with (OK), the service provider (SP)extracts encrypted template information from the IDC, wherein asymmetric key is used in encryption of the template.

The symmetric key used to encrypt the template has been encrypted usingthe public key of the user device and stored in the personidentification certificate (IDC). The user device extracts the encryptedsymmetric key from the person identification certificate (IDC) anddecrypts it using the private key of the user device. The obtainedsymmetric key is transmitted to the service provider (SP). It isdesirable that the symmetric key be transmitted after being encryptedusing a session key created during the mutual authentication.Alternatively, the symmetric key may be transmitted after beingencrypted using the public key of the service provider (SP).

The service provider (SP) acquires the symmetric key by performingdecryption using the private key of the service provider (SP) or thesession key, and the service provider (SP) further decrypts theencrypted template using the acquired symmetric key. The serviceprovider (SP) then compares the obtained template with samplinginformation which is input via a sampling information acquisitionapparatus and transmitted therefrom via the user device. Mutualauthentication is performed between the user device and the serviceprovider (SP). If the mutual authentication is successfully completed,the user device transmits the sampling information to the serviceprovider (SP). In the transmission of the sampling information, thesampling information is encrypted using a session key created during themutual authentication or using a public key of the service provider.

(d-2) Template information is decrypted by a user device and transmittedto a service provider (SP) for use in verification.

FIG. 30 is a diagram illustrating a system in which verification isperformed by decrypting a person identification certificate (IDC) storedin a user device and then transmitting the decrypted IDC to a serviceprovider (SP).

A person identification certificate (IDC) is decrypted by a user deviceand transmitted to a service provider (SP). Herein, the IDC includestemplate information which is encrypted with a public key assigned tothe particular user device such that the encrypted template informationcan be decrypted using a private key assigned to the user device. Theencrypted template information extracted from the IDC is decrypted usingthe private key assigned to the user device, and then transmitted to theservice provider (SP). It is desirable that, before transmitting thetemplate, mutual authentication be performed between the user device andthe service provider (SP) and the template is transmitted after beingencrypted using a session key created in the mutual authenticationprocess. Alternatively, the template may be transmitted after beingencrypted using a public key of the service provider (SP).

Upon receiving the template from the user device, the service provider(SP) extracts the template information and compares it with samplinginformation which is input via a sampling information acquisitionapparatus and transmitted from the user device.

(d-3) Comparison for verification is performed by a user device.

FIG. 31 is a diagram illustrating a system in which verification isperformed by a user device using a person identification certificate(IDC) stored in the user device and only the result of the verificationis transmitted to a service provider (SP).

The user device decrypts the encrypted template included in the personidentification certificate (IDC). Herein, the IDC includes templateinformation which is encrypted with a public key assigned to theparticular user device such that the encrypted template information canbe decrypted using a private key assigned to the user device. Theencrypted template information extracted from the IDC is decrypted usingthe private key assigned to the user device.

Sampling information is acquired via a sampling information acquisitionapparatus and input to the user device. The user device performsverification by comparing the decrypted template with the samplinginformation and transmits the verification result to the serviceprovider (SP). In accordance with the result, the service provider (SP)determines whether or not a service should be provided.

[6. Control of Permission of Usage of Content According to UserAuthentication on the Basis of Person Identification Certificate]

A process of controlling permission of usage of various contents such asmusic data or image data and various programs such as a game inaccordance with user authentication on the basis of a personidentification certificate (IDC) is described below.

FIG. 32 illustrates a configuration of a secure container containing acontent to be distributed via content transaction. The secure containershown in FIG. 32 may be used to distribute a content from a serviceprovider to a user device and may also be used to distribute a contentfrom a user device to another user device.

A secure container can be distributed not only from a service providerto users but also among users. When a content is distributed amongusers, the distribution may be performed in either one of the twomanners described below. In a first manner, a content is transmitted forsales in series from one user to another, for example, from a user A toa user B and then from the user B to a user C, and so on. The seriesdistribution of contents among users is referred to as “intergenerationdistribution”. In a second manner, a content purchased by a user A isdistributed in parallel from the user A to an users B, C, D, etc. Thatis, the same content is distributed from one user to a plurality ofusers. This parallel content distribution is referred to as “secondarydistribution”.

As shown in FIG. 32, a secure container 700 includes a content 701encrypted using a content key, price information 702 includinginformation about the price of the content, sales restrictioninformation (USP) 703 indicating the restriction on the usage of thecontent, and a digital signature 704 of a producer of the securecontainer, such as a service provider, wherein the sales restrictioninformation (UCP) 703 indicates, for example, that the content ispermitted to be used only once and reselling among users via“intergeneration distribution” or “secondary distribution” is notpermitted, or that the content is permitted to be resold among users aplurality of times. In the case where the content is permitted to beresold among users a plurality of times, the sales restrictioninformation (UCP) 703 may indicate the details of the restriction on thereselling. For example, the sales restriction information (UCP) 703indicates that “intergeneration distribution” is allowed up to two timesor that “secondary distribution” is allowed up to three times. The priceinformation 702 and the sales restriction information (UCP) 703 of thesecure container are generically referred to as container information.At least either one of or both of the price information 702 and thesales restriction information (UCP) 703 of the container information ofthe secure container include a list of person identificationcertificates (IDCs) of users who are authorized to use the content.

FIG. 33 is a diagram illustrating a form of a list of personidentification certificates (IDCs). The list of person identificationcertificates (IDCs) includes user IDs or user identifiers andidentifiers of the person identification certificates (IDCs) of therespective users.

The container information including the price information 702 and thesales restriction information (UCP) 703 is management information whichis set by one of a content producer, a content provider, and a serviceprovider. For example, a service provider produces data such that a listof person identification certificates (IDCs) of registered users isincluded in the price information 702 or the sales restrictioninformation 703. The digital signature is written by an agency or anorganization which manages the distribution of contents. In the casewhere the distribution of contents is managed by a service provider, thedigital signature is written by the service provider.

FIG. 34 illustrates a specific example of a form of sales restrictioninformation (UCP) 703. As shown in FIG. 34, the sales conditioninformation (UCP) includes a person identification certificate (IDC)list 711 which is data indicating of a list of identifiers of personidentification certificates (IDCs) of users who are permitted to use acontent. The sales condition information (UCP) further includes acontent identifier (ID), usable device conditions indicating userdevices on which the content can be used, an area code indicating anarea where the content can be used, and the type of permitted usageindicating the manners in which the content is permitted to be used (forexample, the maximum number of times the content is allowed to bereproduced, the maximum number of time the content is allowed to becopied (downloaded)).

The type of permitted usage is data indicating the manners in which thecontent is permitted to be used. FIG. 35 illustrates an example of aformat of the permitted usage data. Rule numbers are assigned torespective items of the permitted usage, such as whether reproduction ispermitted, whether copying is permitted, how long the copy is allowed tobe reproduced or copied, and how many times the copy is allowed to bereproduced or copied. In FIG. 35, SCMS is copy restriction informationwhich indicates the maximum number of times the content is allowed to becopied. A user is permitted to reproduce and copy the content within therestriction defined in the sales restriction information of the securecontainer, wherein the respective items of the restriction are denotedby the rule numbers.

As shown in FIG. 34, the sales restriction information (UCP) alsoincludes “UCP generation management information” 712 indicating themaximum number of times the content is permitted to be distributed amonguser devices via “intergeneration distribution”, and “maximum allowablenumber of secondary distributions” 713 indicating the maximum number oftimes the content is permitted to be distributed via “secondarydistribution”. The maximum number of times the content is permitted tobe distributed among users defined in “UCP generation managementinformation” is inherited into the usage control status (UCS)information (FIG. 38) stored in a user device depending upon the usageof the secure container. In accordance with the maximum number of timesthe content is permitted to be distributed among users defined in “UCPgeneration management information”, “UCS generation managementinformation” and “UCS allowable number of secondary distributions” aredescribed in the usage control status (UCS) information. The “UCSgeneration management information” is updated each time intergenerationdistribution of the content is performed and the “UCS allowable numberof secondary distributions” is updated each time secondary distributionof the content is performed. The usage control status (UCS) informationwill be described in further detail later.

FIG. 36 is a diagram illustrating an example of a data format of priceinformation included in a secure container. The price informationincludes information indicating the content ID as in the salesrestriction information (UCP) shown in FIG. 34. In addition, the priceinformation includes information indicating a price information ID andinformation indicating a price information version. Furthermore, as inthe sales restriction information (UCP) shown in FIG. 34, the priceinformation includes a person identification certificate (IDC) list 721.That is, data indicating the list of identifiers of personidentification certificates (IDCs) of users who are permitted to use thecontent is included in the sales restriction information (UCP).

FIG. 37 is a diagram illustrating a manner of distributing a contentusing a secure container. A content provider (CP) 801 generates oracquires a content which is to be stored in a secure container, and thecontent provider (CP) 801 provides the generated or acquired contenttogether with sales restriction (UCP) data of the content to a serviceprovider (SP) 802 which distributes the content to users. The serviceprovider (SP) 802 generates price information of the content and storesa list of person identification certificates (IDC) of users who arepermitted to use the content into at least one of or both of the priceinformation and the sales restriction information (UCP). The serviceprovider (SP) 802 further writes a digital signature thereby forming asecure container and transmits the resultant secure container to a userdevice 803.

The user device 803 verifies the signature of the secure container.Furthermore, the user device 803 verifies other information such as thesales restriction (UCP) data and the price information included in thesecure container to check that the data has not been tampered with. Theuser device 803 then extracts the IDC identifier of the user device 803from the person identification certificate (IDC) list from either thesales restriction (UCP) data or the price information, and acquires theperson identification certificate (IDC) indicated by the IDC identifier.The user device 803 then compares the template included in the IDC withsampling information. The comparison for verification is performed byone of the user device, the service provider, and the personidentification certificate authority (IDA). In the case where the personverification has been successfully passed, it becomes possible for theuser to use the content, that is, decrypt the content. Morespecifically, provided that the verification has been passed, thecontent key used to encrypt the content is transmitted from the serviceprovider to the user device. This makes it possible for the user deviceto reproduce and copy the content included in the secure container usingthe content key.

The user device stores the secure container onto a storage medium of theuser device 803. The user device 803 then generates charge informationindicating the charge for use of the content and transmits it to aclearing center 804 which performs settlement. The charge information isgenerated on the basis of the data described in the price informationdescribed earlier. The clearing center transfers the charge from, forexample, an electronic money account from the user in accordance withthe charge information. The user device 803 is allowed to distribute thesecure container to another user device 805, as will be described indetail later. When storing the secure container, the user devices 803and 805 generate usage control status (UCS) information and store itinto a memory.

FIG. 38 illustrates an example of usage control status (UCS) informationwhich is generated by a user device and stored in a memory of a userdevice, when the secure container is stored. As shown in FIG. 38, theusage control status (UCS) information includes, in addition to the dataindicating the content ID and the service provider ID, informationindicating the content usage restriction such as the number of times thecontent is allowed to be further reproduced or the number of times thecontent is allowed to be further copied. Note that the number of timesthe content is allowed to be further reproduced or copied indicates thenumber of times the content is allowed to be further reproduced orcopied using the same user device. The usage control status (UCS)information is generated, updated, and inherited in accordance with thepermitted usage data which is included in the sales restriction (UCP)data of the content and which defines the permitted usage of thecontent. Thus, a user device uses the content in accordance with thecontent usage restriction data included in the content sales restriction(UCP) data indicating the content usage restriction or in accordancewith the usage control status information generated in accordance withthe usage restriction data.

The usage control status (UCS) information further includes a personidentification certificate (IDC) list 731. That is, data indicating thelist of identifiers of person identification certificates (IDCs) ofusers who are permitted to use the content is included in the usagecontrol status (UCS) information. This list is generated by inheritingthe data described in the sales restriction (UCP) information. The usagecontrol status (UCS) information further includes “UCS generationmanagement information” 732 and “UCS allowable number of secondarydistributions” 733.

As described earlier, the “UCS generation management information”indicates the number of times intergeneration distribution of thecontent is allowed to be performed. For a user device which firstpurchases a content, the same number as the number defined in the “UCPgeneration management information” is set in the UCS generationmanagement information. For a user device which receives the contentfrom a user via the intergeneration distribution, the number equal tothe value obtained by subtracting the number of times intergenerationdistribution has been performed from the number defined in the “UCPgeneration management information” is set in the UCS generationmanagement information.

“UCP allowable number of secondary distributions” 733 is a field inwhich the number of times secondary distribution of the content isallowed. For a user device which first purchases the content, the samenumber as the number defined in the “UCP allowable number of secondarydistributions” in the sales restriction (UCP) information is set, and isupdated, that is, decremented, each time secondary distribution isperformed thereafter.

As described above, distribution of the content among users is allowedor forbidden depending upon the “UCS generation management information”or “UCS allowable number of secondary distributions” in the usagecontrol status (UCS) information stored in the memory of the user devicetogether with the content. The “UCS generation management information”is updated each time intergeneration distribution of the content isperformed, and the “UCS allowable number of secondary distributions” isupdated each time secondary distribution of the content is performed.

FIG. 39 is a diagram illustrating a manner of using a personidentification certificate (IDC) when a secure container containing acontent is distributed from a service provider to a user device.

First, a user 820 of a user device 810 request a person identificationcertificate authority (IDA) 830 to issue a person identificationcertificate (IDC) of the user 820. When the user 820 issues the request,the user 820 presents his/her biometric information and other personalinformation to the person identification certificate authority (IDA)830. After verifying the authenticity of the user, the personidentification certificate authority (IDA) 830 generates templateinformation in accordance with sampling information and furthergenerates a person identification certificate (IDC) in which encryptedtemplate information is stored.

In response to a request, the generated person identificationcertificate (IDC) is distributed to the user device 810 or a serviceprovider 840 and stored therein. For example, when the user 820 wants toreceive a content from the service provider 840, the service provider840 authenticates the user 820 on the basis of the person identificationcertificate (IDC) stored in the service provider 840. That is, theservice provider 840 compares the sampling information received from theuser with the template information included in the person identificationcertificate (IDC), and, if they match with each other, the serviceprovider 840 regards the user who provided the sampling information asan authorized user corresponding to the person identificationcertificate (IDC) and distributes the content to the user.

When the user 820 wants to use the user device 810, authentication isalso performed on the basis of the person identification certificate(IDC) stored in the user device 810. That is, sampling information inputby the user is compared with the template information included in theperson identification certificate (IDC), and, if they match with eachother, the user device 810 determines that the user who provides thesampling information is an authorized user corresponding to the personidentification certificate (IDC) and permits the user to use the userdevice for data processing.

As described above, user authentication may be performed individuallyusing a person identification certificate (IDC) by a user device or aservice provider at various locations. Note that, as described earlier,the template stored in the person identification certificate (IDC) isencrypted using a public key of a system which performs comparison forverification.

FIG. 40 is a flow chart of a process in which a secure container isreceived from a service provider and a person authentication isperformed by a user device so that the content can be used only byauthorized users. The respective steps in the flow are described below.

In step S701, mutual authentication is performed between a serviceprovider and a user device. Only when the mutual authentication issuccessfully completed (Yes in S702), the service provider extracts asecure container (S703) and transmits the extracted secure container tothe user device (S704). In the mutual authentication, a session key iscreated, and used, as required, to encrypt data which is transferredbetween the service provider and the user device.

The user device verifies the received secure container (S705). Herein,the verification includes the verification of the signature of thesecure container itself and the signatures of the respective data suchas the price information and the sales restriction (UCP) informationdescribed in the container.

If the verification of the container is successfully passed (Yes inS706), a user inputs sampling information and a user ID to the userdevice (S707). The user device extracts a person identification (IDC)list from the price information or the sales restriction (USP)information of the secure container (S708) and retrieves an IDCidentifier corresponding to the user ID (S709). In the case where an IDCidentifier corresponding to the input user ID is not found, it isdetermined that the user is not a user authorized by the serviceprovider and an error is returned (No in S710). In this case, thefollowing process is not performed.

If an IDC identifier corresponding to the input user ID is found in theperson identification certificate (IDC) list (Yes in S710), a personidentification certificate (IDC) is acquired on the basis of the IDCidentifier (S711). More specifically, in the case where the personidentification certificate (IDC) is stored in the user device, the IDCstored in the user device is employed, while the person identificationcertificate (IDC) is received from the person identification certificateauthority (IDA) or the service provider if the IDC is not stored in theuser device. A template is extracted from the acquired personidentification certificate (IDC) and decrypted using the private key ofthe user device. The template is then compared with the samplinginformation for verification (S712). If the verification fails (No inS713), an error is returned and the following process is not performed.More specifically, the decryption of the content is not performed andthus the usage of the content is limited. In the case where theverification is affirmative (Yes in S713), the service provider isinformed of the success of the verification, and the service providertransmits to the user device a content key to be used in decryption ofan encrypted content stored in the secure container (S714). The userdevice decrypts the encrypted content using the content key receivedfrom the service provider and uses the content (S715).

In this system, as described above, a content stored in a securecontainer is allowed to be used only when a user is verified as anauthorized user via a user verification process using a template of aperson identification certificate (IDC), thereby preventing the contentfrom being used by an unauthorized user.

FIG. 41 is a flow chart of a process in which a person authentication isperformed by a service provider and a secure container is distributedonly to authorized users. The respective steps in the flow are describedbelow.

In step S721, mutual authentication is performed between a serviceprovider and a user device. In the mutual authentication, a session keyis created, and used, as required, to encrypt data which is transferredbetween the service provider and the user device.

Only when the mutual authentication is successfully completed (Yes inS722), the service provider extracts a secure container (S723), and auser inputs sampling information and a user ID to the user device (S735)and transmits them to the service provider (S736).

The service provider extracts a person identification (IDC) list fromthe price information or the sales restriction information (UCP) of thesecure container (S724) and retrieves an IDC identifier corresponding tothe user ID (S725). In the case where an IDC identifier corresponding tothe input user ID is not found, it is determined that the user is not auser authorized by the service provider and an error is returned (No inS726). In this case, the following process is not performed.

If an IDC identifier corresponding to the input user ID is found in theperson identification certificate (IDC) list (Yes in S726), a personidentification certificate (IDC) is acquired on the basis of the IDCidentifier (S727). More specifically, in the case where the personidentification certificate (IDC) is stored in the service provider, theIDC stored in the service provider is employed, while the personidentification certificate (IDC) is received from the personidentification certificate authority (IDA) if the IDC is not stored inthe service provider. A template is extracted from the acquired personidentification certificate (IDC) and decrypted using the private key ofthe service provider. The template is then compared with the samplinginformation for verification (S728). If the verification fails (No inS729), an error is returned and the following process is not performed.More specifically, distribution of the secure container is notperformed. In the case where the verification is affirmative (Yes inS729), the user is regarded as an authorized user and the followingprocess is performed. More specifically, the service providerdistributes the secure container and the content key to the user device(S730).

The service provider transmits a secure container to the user device,and the user device verifies the received secure container (S731).Herein, the verification includes the verification of the signature ofthe secure container itself and the signatures of the respective datasuch as the price information and the sales restriction (UCP)information described in the container. If the verification of thecontainer is successfully completed (Yes in S732), it becomes possibleto use, on the user device, the content in the secure container.

In this system, as described above, a content is allowed to bedistributed only when a user is verified as an authorized user via auser verification process using a template of a person identificationcertificate (IDC), thereby preventing the content from being distributedto an unauthorized user.

Manner of using a person identification certificate (IDC) indistribution of a secure container among user devices are describedbelow.

FIG. 42 is a diagram illustrating a manner of distributing a contentbetween users using a secure container. A service provider (SP)generates price information of the content and stores a list of personidentification certificates (IDC) of users who are permitted to use acontent into at least one of or both of price information and salesrestriction information (UCP). The service provider (SP) further writesa digital signature thereby forming a secure container and transmits theresultant secure container to a user device 1 (920).

If users 940 and 945 who want to use the user device 1 (920) areauthorized users permitted to use the content, the IDC identifiers ofthe user are described in a list of person identification certificates(IDCs) stored in price information or sales restriction (UCP)information of a secure container corresponding to the content or storedin usage control status (UCS) information which is generated by the userdevice and stored in the user device when the secure container is storedin the user device. When a user wants to use the content stored in theuser device 1 (920), authentication of the user is performed on thebasis of the IDC list in the secure container. That is, the user whowants to use the content is requested to input sampling information. Theuser device 1 (920) compares the input sampling information with thetemplate included in the stored person identification certificate (IDC).Only when they match with each other, the user device 1 (920) permitsthe user to use the content.

As described earlier, the secure container may also be distributed amonguser devices. In the case where the secure container has been moved fromthe user device 1 (920) to a user device 2 (930), when users 940 and 945use the content on the user device 2 (930), user authentication isperformed on the basis of the IDC list described in the priceinformation or sales restriction (UCP) information of the securecontainer or in the usage control status (UCS) information. That is, auser who wants to use the content is requested to input samplinginformation. The user device 2 (930) compares the input samplinginformation with the template included in the stored personidentification certificate (IDC). Only when they match with each other,the user device 2 (930) permits the user to use the content.

As described above, when the secure container is moved, the personidentification certificate (IDC) list which was originally stored in theprice information or sales restriction (UCP) information of the securecontainer is maintained unchanged, and the IDC list in the usage controlstatus (UCS) information generated in accordance with the salesrestriction (UCP) information of the secure container is also maintainedunchanged, thereby ensuring that the usage of the content is limited toonly authorized users in accordance with the IDC list.

FIG. 43 illustrates another manner in which a content is distributedusing a secure container among users and a manner in which userauthentication is performed. In the process shown in FIG. 43, usage of auser device, that is, access to the user device, is restricted inaccordance with user authentication on the basis of a personidentification certificate (IDC) stored in the user device, and,furthermore, use of a content is restricted in accordance with userauthentication on the basis of price information, sales restriction(UCP) information, or an IDC list described in usage control status(UCS) information. That is, user authentication is performed for twodifferent purposes.

Before staring to use a user device 1 (950), a user A and a user Bpresent sampling information to a person identification certificateauthority (IDA) 970 and request the person identification certificateauthority (IDA) 970 to issue person identification certificates (IDCs)in which template information is stored in accordance with the samplinginformation. The issued person identification certificates (IDCs) arestored in the user device 1 (950).

When a user issues a request for usage of the user device 950, the userdevice 950 performs user authentication on the basis of the personidentification certificate (IDC) 955 stored in the user device 950. Thatis, the user who wants to use the content is requested to input samplinginformation. The user device 950 compares the input sampling informationwith the template included in the stored person identificationcertificate (IDC). Only when they match with each other, the user ispermitted to use the user device 1 (950).

When a user issues a request for usage of a content stored in a securecontainer 990, user authentication is performed on the basis of the IDClist described in the price information or sales restriction (UCP)information of the secure container or described in the usage controlstatus (UCS) information. When the user is not found in the IDC list orwhen, even if the user is found in the IDC list, the input samplinginformation does not match with the template information, the user isnot permitted to use the content.

That is, a user can use the content of the secure container 990 on theuser device 1 (950) only when the user authentication on the basis ofthe person identification certificate (IDC) stored in the user device 1(950) is passed and furthermore when the user authentication on thebasis of the IDC list described in the price information or the salesrestriction (UCP) information of the secure container or described inthe usage control status (UCS) information is passed.

The secure container is allowed to be moved among devices. In the casewhere the secure container has been moved to a user device 2 (960), userauthentication on the basis of person identification certificate (IDC)stored in the user device 2 (960) and user authentication on the basisof the IDC list described in the price information or the salesrestriction (UCP) information of the secure container or described inthe usage control status (UCS) information are performed in a similarmanner.

In the system shown in FIG. 43, person identification certificates(IDCs) 955 of users A and B are stored in the user device 1 (950) and alist 992 of users A, B, and C are stored in the secure container.Therefore, only users A and B are allowed to use the content using theuser device 1 (950). On the other hand, person identificationcertificates (IDCs) 965 of users A and C are stored in the user device 2(960) and a list 992 of users A, B, and C is stored in the securecontainer. Therefore, only users A and C are allowed to use the contentusing the user device 2 (960).

In the example shown in FIG. 43, the system is constructed on theassumption that each user device performs user authentication bycomparing sampling information with a template of an IDC which is storedin the user device. When it is desirable that the device can be used byany user whose person identification certificate (IDC) has beenregistered in a person identification certificate authority (IDA), userauthentication may be performed by comparing input sampling informationwith templates not only in IDCs stored in the device but also in personidentification certificates (IDCs) stored in the person identificationcertificate authority (IDA), and users who have passed the userauthentication may be allowed to use the device.

An example of a process of performing user authentication on the basisof a person identification certificate (IDC) in an IDC list described ina secure container before distributing the secure container among userdevices thereby restricting the usage of the content is described belowwith reference to the flow charts shown in FIGS. 44 and 45. Note that itis assumed herein that accessing to user devices is not limited.

FIG. 44 is a flow chart of a process in which a secure container isreceived from a user device A and person authentication is performed bya user device B so that only authorized users can use the content. Therespective steps in the flow are described below.

In step S751, mutual authentication is performed between a user device Aand a user device B. Only when the mutual authentication is successfullycompleted (Yes in S752), the user device A extracts a secure container(S753) and transmits the extracted secure container to the user device B(S754). In the mutual authentication, a session key is created, andused, as required, to encrypt data which is transferred between theservice provider and the user device.

The user device B verifies the received secure container (S755). Herein,the verification includes the verification of the signature of thesecure container itself and the signatures of the respective data suchas the price information and the sales restriction (UCP) informationdescribed in the container.

If the verification of the container is affirmative (Yes in S756), auser who wants to use a content inputs sampling information and a userID to the user device B (S757). The user device B extracts a personidentification certificate (IDC) from the usage control status (UCS)information and retrieves an IDC identifier corresponding to the user ID(S759). In the case where an IDC identifier corresponding to the inputuser ID is not found, it is determined that the user is not a userauthorized by the service provider and an error is returned (No inS760). In this case, the following process is not performed.

If an IDC identifier corresponding to the input user ID is found in theperson identification certificate (IDC) list (Yes in S760), a personidentification certificate (IDC) is acquired on the basis of the IDCidentifier (S761). More specifically, in the case where the personidentification certificate (IDC) is stored in the user device B, the IDCstored in the user device B is employed, while the person identificationcertificate (IDC) is received from the person identification certificateauthority (IDA) or the service provider if the IDC is not stored in theuser device B. A template is extracted from the acquired personidentification certificate (IDC) and decrypted using the private key ofthe user device B. The template is then compared with the samplinginformation for verification (S762). If the verification fails (No inS763), an error is returned and the following process is not performed.More specifically, the decryption of the content is not performed andthus the usage of the content is limited. In the case where theverification is affirmative (Yes in S763), the user device A is informedof the success of the verification, and the user device A transmits tothe user device B a content key to be used in decryption of an encryptedcontent stored in the secure container (S764). The user device Bdecrypts the encrypted content using the content key received from theuser device A and uses the content (S765).

In this system, as described above, a content stored in a securecontainer is allowed to be used only when a user is verified as anauthorized user via a user verification process using a template of aperson identification certificate (IDC), thereby preventing the contentfrom being used by an unauthorized user even after a secure containerhas been distributed among user devices.

FIG. 45 is a flow chart of a process in which person authentication isperformed by a content distributor before distributing a content and asecure container is distributed only to authorized users. The respectivesteps in the flow are described below.

In step S771, mutual authentication is performed between a user device Aand a user device B. In the mutual authentication, a session key iscreated, and used, as required, to encrypt data which is transferredbetween the service provider and the user device.

Only when the mutual authentication is successfully completed (Yes inS772), the user device A extracts a secure container (S773), and a userinputs sampling information and a user ID to the user device B (S785)and transmits them to the user device A (S786).

The user device A extracts a person identification (IDC) list from theprice information, the sales restriction (UCP) information, or the usagecontrol status (UCS) information of the secure container (S774) andretrieves an IDC identifier corresponding to the user ID (S775). In thecase where an IDC identifier corresponding to the input user ID is notfound, it is determined that the user is not a user authorized by theservice provider and an error is returned (No in S776). In this case,the following process is not performed.

If an IDC identifier corresponding to the input user ID is found in theperson identification certificate (IDC) list (Yes in S776), a personidentification certificate (IDC) is acquired on the basis of the IDCidentifier (S777). More specifically, in the case where the personidentification certificate (IDC) is stored in the service provider, theIDC stored in the service provider is employed, while the personidentification certificate (IDC) is received from the personidentification certificate authority (IDA) if the IDC is not stored inthe service provider. A template is extracted from the acquired personidentification certificate (IDC) and decrypted using the private key ofthe service provider. The template is then compared with the samplinginformation for verification (S778). If the verification fails (No inS779), an error is returned and the following process is not performed.More specifically, distribution of a secure container and a content keyis not performed. In the case where the verification is affirmative (Yesin S779), the user is regarded as an authorized user and the followingprocess is performed. More specifically, distribution of a securecontainer and a content key to the user device B is performed.

If the user device B receives a secure container from the user device A,the user device B verifies the received secure container (S781). Herein,the verification includes the verification of the signature of thesecure container itself and the signatures of the respective data suchas the price information and the sales restriction (UCP) informationdescribed in the container. If the verification of the container issuccessfully completed (Yes in S782), it becomes possible to use, on theuser device B, the content in the secure container.

In this system, as described above, a content is allowed to bedistributed only when a user is verified as an authorized user via auser verification process performed by the user device A using atemplate of a person identification certificate (IDC), therebypreventing the content from being distributed to an unauthorized user.

FIG. 46 is a block diagram mainly illustrating configurations of userdevices which transmit a secure container to each other. A process oftransferring a secure container, generating content usage control status(UCS) information, and storing the secure container is described withreference to FIG. 46.

A service provider 1810 shown in FIG. 46 performs a first distribution(primary distribution) of a secure container. The service provider 1810stores the content in a content database 1812 and also stores userinformation in a user information database 1813. In the service provider1810, under the control of a controller 1811, an encryption unit 1814performs mutual authentication with a device to which a secure containeris to be transferred and also writes a signature on data to betransferred. The encryption unit 1814 includes a memory for storing keyinformation needed in the encryption process, the above-described publickey of the public key certificate authority (CA), and the public keycertificate issued by the public key certificate authority (CA). Thedatabase 1813 stores person identification certificates (IDCs) of usersto whom services are provided. A user identifying apparatus 1816performs user authentication, as required, by comparing samplinginformation with information described in an IDC.

The service provider 1810 transfers a secure container to a user deviceA1820 via a communication unit 1815. As described earlier, the securecontainer includes sales restriction (UCP) information and priceinformation wherein a person identification certificate (IDC) list isdescribed in at least either the sales restriction (UCP) information orthe price information.

A clearing center 1840 shown in FIG. 46 settles the charges for use ofdistributed contents (by processing electronic money data, for example).The clearing center 1840 includes an encryption unit 1844 which executesmutual authentication with respective devices in reception/transmissionof logs and which adds a signature to data to be transmitted andverifies a signature of received data. The clearing center 1840 alsoincludes a database 1842 in which various data such as user managementdata and user account management data. The encryption unit 1844 includesa memory for storing key information necessary in the encryptionprocess, the public key of the public key certificate authority (CA),and the public key certificate issued by the public key certificateauthority (CA). A controller 1841 controls the operations such astransmission/reception of data and transfer of data performed by theencryption unit during the encryption process. The database 1842includes person identification certificates (IDC) of users to whomservices are provided. A user identifying apparatus 1846 authenticatesan user, as required, by comparing sampling information with informationdescribed in the IDCs.

The service provider 1810 transfers a secure container to a user deviceA1820 via a communication unit 1815. When the user device A1820 receivesthe secure container via a communication unit 1827, the user device A1820 performs a purchasing process. In the purchasing process, userauthentication is performed on the basis of the person identificationcertificate (IDC) stored in a storage unit 1825. In the case where theperson identification certificate (IDC) is not stored in the storageunit 1825, user authentication may be performed by the service provider1810. In the user device A1820, under the control of a controller 1821,an encryption unit 1822 generates a content usage control status (UCS)information in accordance with the sales restriction (UCP) informationof the secure container and stores it in a memory such as a flash memory1824. As described earlier, the content usage control status (UCS)information includes a list inherited from the person identificationcertificate (IDC) list stored in the sales restriction (UCP)information.

The user device A1820 performs a content usage charge payment processusing, for example, electronic money 1828. The encryption unit 1822generates an usage log and transmits it to the service provider 1810 viathe communication unit 1827. The secure container received by the userdeice A1820 is stored in a storage unit 1825 such as a hard disk. Theservice provider 1810 verifies the usage log transmitted from the userdevice A1820. After completion of the verification, service provider1810 encrypts a content key using a session key and transmits theencrypted content key to the user device A1820. The user device A1820decrypts the encrypted content key using the session key, encrypts thecontent key using an unique storage key of the user device A1820, andstores it in the memory 1824.

In usage of a content, such as reproduction of a content using a datareproducing unit 1826, the user device A1820 decrypts the content keystored in the memory 1824 using the storage key, decrypts the content inthe secure container stored in the storage unit 1825 using the decryptedcontent key, and reproduces the content via the data reproducing unit1826. In order to perform the above-described decryption of the contentin the secure container, it is required that, in the previous decisionstep, the number of times the content is permitted to be furtherreproduced indicated by the content usage restriction (UCS) informationstored in the memory 1824 be read and the number should indicate thatfurther reproduction is permitted.

When a secure container is transmitted from the user device A1820 to theuser device B 1830, the user device A1820 reads the content usagecontrol status (UCS) information from the memory 1824, decrypts it usingthe storage key via the decryption unit 1822 (decryption is unnecessaryif the UCS information is not encrypted), and detects the “UCSgeneration management information” and “UCS allowable number ofsecondary distributions” described in the UCS. If it is determined thatfurther distribution is permitted, the user device A1820 transfers thesecure container to the user device B1830 via the communication unit1827. The user device B1830 receives the secure container via thecommunication unit 1837 and performs a purchasing process.

When the secure container is transmitted, the user authenticationdescribed earlier is performed. The user authentication is performed bythe user identifying apparatus 1829 of the user device A which transmitsthe secure container as described earlier with reference to the flowchart shown in FIG. 45, or by user identifying apparatus 1839 of theuser device B which receives the secure container as described earlierwith reference to the flow chart shown in FIG. 44. Alternatively, theuser authentication may be performed by the service provider or theperson identification certificate authority (IDA).

If the user authentication is passed, the user device B1830 generates acontent usage control status (UCS-B) information in which “UCSgeneration management information” and “UCS allowable number ofsecondary distributions” are newly set, using the encryption unit 1832under the control of the controller 1831, in accordance with the salesrestriction (UCP) information of the secure container and in accordancewith the UCS information of the user device A 1820. The resultantcontent usage control status (UCS-B) is stored in the memory 1834 suchas a flash memory.

In the generated UCS-B, the content usage history of the user deviceA1820 is inherited. The “UCS generation management information” of theUCS-B is set to be smaller by one than the “UCS generation managementinformation” of the UCS-A. The “UCS allowable number of secondarydistribution” of the UCS-B is set to be smaller by one than the “UCSallowable number of secondary distribution” of the UCS-A, or newly setto be equal to the “UCP allowable number of secondary distributions”described in the secure container.

The user device B1830 performs a content usage charge payment processusing the electronic money 1838. That is, an usage log is generated bythe encryption unit 1832 and transmitted to the user device A1820 viathe communication unit 1837. The secure container received by the userdeice B1830 is stored in a storage unit 1835 such as a hard disk. Theuser device A1820 verifies the usage log transmitted from the userdevice B1830. If the verification is passed, the user device A1820 readsthe content key from the memory 1824, decrypts the content key using thestorage key, decrypts the content key using the session key, andtransmits it to the user device B1830. The user device B1830 decryptsthe encrypted content key using the session key, encrypts the contentkey using an unique storage key of the user device B1830, and stores itin the memory 1834.

If the content is used beyond the upper limit by means of illegaltampering, the number of reception logs generated in accordance with thesame secure container exceeds the number set in the “UCS generationmanagement information” in the sales restriction (UCP) information inthe secure container. As a result, when the data is transmitted to theclearing center 1840, the data is determined to be invalid. Thereception log includes, as well as information indicating the contentID, “UCP generation management information” described in the securecontainer. Thus, in the settlement performed by the clearing center1840, if the reception log indicates that the number of distributionsexceeds the number set in the “UCP generation management information”,the reception log is determined to be invalid. In the case where areception log is generated on the basis of a content which is notpermitted distributed among users, the reception log is regarded asinvalid.

In usage of a content, such as reproduction of a content using a datareproducing unit 1836, the user device B1830 decrypts the content keystored in the memory 1834 using the storage key, decrypts the content inthe secure container stored in the storage unit 1835 using the decryptedcontent key, and reproduces the content via the data reproducing unit1836. In the above-described decryption of the content in the securecontainer, the usage status such as the number of times the content ispermitted to be further reproduced, described in the content usagecontrol status (UCS) information stored in the memory 1834 is checked,the content is used, that is, decryption is performed, within therestriction set therein.

In the content distribution using secure containers, when primarydistribution is performed from a service provider to a user device orwhen secondary distribution (intergeneration distribution or secondarytransmission) is performed among a plurality of user devices, userauthentication is performed using a person identification certificate(IDC). Furthermore, use of a content is limited within the restrictiondefined in the “UCP generation management information” and the “UCPallowable number of secondary distributions” included in the salesrestriction (UCP) information in the secure container. Furthermore,reception of the content usage charge resulting from primarydistribution or secondary distribution (intergeneration distribution orsecondary transmission) can be automatically performed in accordancewith the reception log generated in accordance with the priceinformation and the sales restriction information described in thesecure container. Thus, an additional process for settlement is notnecessary.

[7. Link between Person Identification Certificates (IDC) and Public KeyCertificates (PKC)]

Manners of relating person identification certificates (IDCs) to publickey certificates (PKC), that is, manners of forming links therebetweenare described below.

In many situations, it is useful to manage person identificationcertificates (IDCs) and public key certificates (PKCs) by relating themwith each other. For example, a person identification certificate (IDC)may be linked to a public key certificate of a public key applied toencryption of a template stored in the person identificationcertificate, or, a link may be formed between a person identificationcertificate and a public key certificate which are used in personauthentication, mutual authentication, and transmission of encrypteddata during a process of establishing a connection for datacommunication with a party such as a particular service provider, sothat one certificate can be pointed to by the other certificate.

Links between person identification certificates (IDCs) and public keycertificates (PKCS) may be formed not only in a one-to-one fashion inwhich one person identification certificate (IDC) is linked to onepublic key certificate (PKC), but also in a one-to-many, many-to-one, ormany-to-many fashions. There is a one-to-one correspondence between PKCsand IDCs when an unique person identified by a person identificationcertificate (IDC) corresponds to an unique public key certificate (PKC).For example, when one device and one user of that device correspond toeach other in a one-to-one fashion, a one-to-one link may be formed.

PKCs and IDCs may be linked in a one-to-N ({>=} 2) fashion, when, forexample, a plurality persons identified by a plurality of personidentification certificates (IDCs) do not correspond to one public keycertificate, that is, one device is shared by a plurality of users. PKCsand IDCs may be linked in a one-to-M ({>=} 2) fashion, when, forexample, there are a plurality of public key certificates that an uniqueperson identified by a person identification certificate (IDC) uses orcan use. PKCs and IDCs may be linked in a M-to-N (M, N {>=} 2) fashion,when, for example, there are a plurality of public key certificates thata plurality of persons identified by a plurality of personidentification certificates (IDCs) use or can use and a device is sharedby the plurality of persons.

Furthermore, person identification certificates (IDCs) and public keycertificates (PKCs) may be linked in a one-way fashion (one directionlink, directional link) in which only one type of certificates can bepointed to by the other type of certificates or in a two-way fashion inwhich any type of certificates can be pointed to by the other type ofcertificates.

Specific examples of manners of forming links between personidentification certificates (IDCs) and public key certificates (PKCs)are described below with reference to FIGS. 47A and 47B and FIGS. 48Aand 48B for the respective cases of one-to-one, one-to-many,many-to-one, and many-to-many links. In any example described below, itis assumed that person identification certificates (IDCs) are issued bya person identification certificate authority (IDA) and a signature ofthe person identification certificate authority (IDA) is writtentherein, and it is also assumed that public key certificates (PKCs) areissued by a certificate authority (CA) and a signature of thecertificate authority (CA) is written therein.

In any case, links can be formed in one of various manners describedbelow.

(1) A PKC identification number is embedded in an IDC (one-way link fromthe IDC to the PKC)

(2) An IDC identification number is embedded in a PKC (one-way link fromthe PKC to the IDC)

(3) A link structure ID is embedded in an IDC and a PKC.

The link structure is identified by a link structure ID, and the linkstructure has an IDC identification number and a PKC identificationnumber of the linked IDC and PKC.

(two-way link between the IDC and the PKC)

(4) A pair of a PKC identification number and an IDC identificationnumber is described in the outside of certificates.

(one-way link from the IDC to the PKC)

(5) A pair of a PKC identification number and an IDC identificationnumber is described in the outside of certificates.

(one-way link from the PKC to the IDC)

(6) A pair of a PKC identification number and an IDC identificationnumber is described in the outside of certificates.

(two-way link between the PKC and the IDC)

(7) A PKC is stored in an IDC

(one-way link from the IDC to the PKC)

(8) An IDC is stored in a PKC

(one-way link from the PKC to the IDC)

(9) A link information inquiry number or inquiry information is storedin each certificate

(one-way link from one of the PKC and the IDC to the other or two-waylink between them)

As described above, link information may be stored in such a manner thatan identification number of a linked certificate is stored (embedded) ina person identification certificate (IDC) itself or a public keycertificate (PKC) itself as in (1) and (2), or in such a manner that alink structure indicating a correspondence between identificationnumbers of linked certificates is created and an identifier (ID) of thelink structure is described in a person identification certificate (IDC)or a public key certificate (PKC), that is, the link structureidentifier serving as link identification data and identifiers of linkedpublic key certificate identifiers and person identificationcertificates are stored as in (3). Furthermore, as in (4), (5), and (6),link information indicating links between person identificationcertificates (IDCs) and public key certificates (PKCs) is collected andmanaged in the outside of the certificates in an integral fashion by anagency or an organization, for example, by a link information managementcenter or the like located on a network, and ink information isextracted as required. Specific examples of the manners of forming linksare described below.

(PKC is Stored in IDC)

As described earlier, one manner of storing template informationidentifying a person in a person identification certificate (IDC) is toencrypt the template using a public key and store the encrypted templatein the person identification certificate (IDC). A public key certificate(PKC) which is generated in correspondence with the public key used toencrypt the template is set as a linked public key certificate (PKC) ofthe person identification certificate (IDC), and this linked public keycertificate (PKC) is stored in the person identification certificate(IDC). FIG. 49A illustrates a manner in which a linked public keycertificate (PKC) is stored in a person identification certificate(IDC).

As shown in FIG. 49A, the encrypted template and the public keycertificate (PKC) of the public key applied to encryption of thetemplate are stored in the person identification certificate (IDC). Asdescribed earlier, the public key applied to the encryption of thetemplate is one of a public key of a user or a user device, a public keyof service provider (SP), and a public key of a person identificationcertificate authority (IDA), and the public key certificate (PKC) storedin the person identification certificate (IDC) is that of the public keyemployed to encrypt the template. By forming the link in theabove-described manner, the person identification certificate (IDC) andthe public key certificate (PKC) of the public key used to encrypt thetemplate are combined together, that is two types of certificates arecombined together in an inseparable fashion. When certificates arelinked in this manner, it is desirable that the expiration dates of thecertificates be set such that the expiration date of the IDC {<=} theexpiration date of the PKC. That is, it is desirable that the expirationdates be set such that the PKC stored in the IDC becomes valid duringthe entire period in which the IDC is valid.

(IDC is Stored in PKC)

FIG. 49B illustrates a manner in which a linked person identificationcertificate (IDC) of a public key certificate (PKC) is stored in thepublic key certificate (PKC) which is generated in correspondence with apublic key employed to encrypt a template.

As shown in FIG. 49B, the linked person identification certificate (IDC)including template information encrypted with the public keycorresponding to the public key certificate (PKC) is stored in thepublic key certificate (PKC). As described earlier, the public keyapplied to the encryption of the template is one of a public key of auser or a user device, a public key of a service provider (SP), and apublic key of a person identification certificate authority (IDA), andthe public key certificate (PKC) in which the person identificationcertificate (IDC) is stored is that of the public key employed toencrypt the template. By forming the link in the above-described manner,the person identification certificate (IDC) and the public keycertificate (PKC) of the public key used to encrypt the template arecombined together, that is, two types of certificates are combinedtogether in an inseparable fashion. Note that the person identificationcertificate (IDC) itself exists independently. When certificates arelinked in this manner, it is desirable that the expiration dates of thecertificates be set such that the expiration date of the PKC {<=} theexpiration date of the IDC. That is, it is desirable that the expirationdates be set such that the IDC stored in the PKC becomes valid duringthe entire period in which the PKC is valid.

(Identifier of a Linked Certificate is Stored in a Certificate)

A manner is described in which an identifier of a certificate such as anunique identification number assigned to that certificate is stored in acertificate to be linked to the former certificate.

FIG. 50A shows a manner in which an identification number of a publickey certificate (PKC) is stored in a person identification certificate(IDC), and FIG. 50B shows a manner in which an identification number ofa person identification certificate (IDC) is stored in a public keycertificate (PKC).

In the example shown in FIG. 50A in which the identification number ofthe public key certificate (PKC) is stored in the person identificationcertificate (IDC), the public key certificate (PKC) is thatcorresponding to a public key used to encrypt a template stored in theperson identification certificate (IDC), as in the previous example. Inthis case, it is required that the public key certificate (PKC) shouldhave been issued before the person identification certificate (IDC) wasissued. Because it is meaningless to store link information of a publickey certificate (PKC) which has expired, it is desirable that theexpiration dates be set such that the expiration date of the IDC {<=}the expiration date of the PKC. This link information storage manner isemployed, for example, when it is not necessary to store a PKC in an IDCand when it is not desirable to distribute the PKC together with theIDC.

In the example shown in FIG. 50B in which an identification number of aperson identification certificate (IDC) is stored in a public keycertificate (PKC), not only an identifier of a public key certificate(PKC) corresponding to a public key employed to encrypt a templatestored in the person identification certificate (IDC) but also anidentifier of a public key certificate (PKC) having some relationshipwith the person identification certificate (IDC) may also be stored. Itis possible to relate a plurality of person identification certificates(IDCs) to a single person identification certificate (IDC). Theexpiration dates of the IDC and the PKC are not influenced by thevalidity of the respective certificates. However, only for thecertificate of the public key used to encrypt the temple of the IDC, theexpiration date should be such as IDC {<=} PKC.

This link information storage manner may be employed, for example, whenafter performing user authentication on the basis of a personidentification certificate (IDC) in response to a request for access toa device, a plurality of linked public key certificates (PKCs) are usedbecause a public key pair is necessary for each service.

(Group Information is Managed Separately from PKC and IDC)

Now, a manner is described in which link management data or groupinformation (link information) indicating a link between a personidentification certificate (IDC) and a public key certificate (PKC) isformed separately from both the person identification certificate (IDC)and the public key certificate (PKC), and information which makes itpossible to access the link management data is stored in the IDC and thePKC.

FIGS. 51A and 51B and FIGS. 52A and 52B show examples of manners ofmanaging links using link management data. In the example shown in FIG.51A, group information (link information) is created and maintainedwhich includes the identifiers (numbers) of a person identificationcertificate (IDC) and a public key certificate (PKC) and also includesthe validity periods of the respective certificates. This method has thefeature that the registering/issuing timing of the respectivecertificates can be independent of each other. Another feature is that arecord indicating a relationship between certificates can be generatedand managed at a location where the record is required without imposingan influence upon any certificate. It is desirable that the validityperiod of the group information be set to be equal to the shortestvalidity period of those of the certificates related to each other. Thismethod may be advantageously employed to mange link information, forexample, when user authentication for a plurality of services isperformed using one IDC and when different public key pairs arenecessary for the respective services.

In the example shown in FIG. 51B, group information (link information)is created and maintained which includes the identifiers (numbers) of aperson identification certificate (IDC) and a public key certificate(PKC) and also includes the validity periods of the respectivecertificates, wherein a group information serial number serving as anidentifier of group information is stored in each certificate. Theserial number of the group information is identification data uniquelyassigned to each group information by a subject which manages the groupinformation. When a PKC and an IDC linked to each other are issued, dataindicating the serial number of the corresponding group information isstored as internal data in each certificate. This method has the featurethat addition, change, and deletion of link information described in thegroup information is possible without causing an influence upon thecertificates. This method may be advantageously employed to manage,using group information, the IDCs and PKCs of users to whom services areprovided, when it is required that a service provider manage the IDC,PKC, and information related to services.

In the example shown in FIG. 52A, group information serial numberserving as an identifier of group information defined as primaryinformation is stored in a person identification certificate (IDC) and apublic key certificate (PKC). Furthermore, related information iscreated as secondary information such that the secondary information canbe accessed from the primary information. Accessing to the primaryinformation from the secondary information may also be possible ifnecessary. Plural pieces of secondary information may be related toprimary information and may be managed separately. When a PKC and an IDCare requested to be registered or issued, the serial number of thelinked group information is requested to be stored in the PKC and theIDC. Addition, change, deletion of related information does not have aninfluence upon the certificates.

In the example shown in FIG. 52B, group information (link information)is created and maintained as primary information which includes theidentifiers (numbers) of a person identification certificate (IDC) and apublic key certificate (PKC), and related information is linked assecondary information such that the secondary information can beaccessed from the primary information. The link may also be formed, ifnecessary, such that accessing to the primary information from thesecondary information may also be possible.

In the case where related information is stored and managed at aplurality of different locations, secondary information identificationdata and index information are described in primary information so thatinformation can be used and managed flexibly. For example, variousservice providers (SPs) may be subjects which manage primary informationor secondary information, and the respective service providers (SPs) mayaccess person identification certificates (IDCs) and public keycertificates (PKCs) of users to which services are to be provided byusing the management information as customer information.

As described above, in various aspects, a person identificationcertificate (IDC) may be linked to a public key certificate of a publickey applied to encryption of a template stored in the personidentification certificate (IDC), or a link may be formed between aperson identification certificate and a public key certificate which areused in person authentication, mutual authentication, and transmissionof encrypted data during a process of establishing a connection for datacommunication with a party such as a particular service provider, sothat one certificate can be easily reached from the other certificate,thereby making it possible to quickly identify a key used in encryptionor decryption of a template or to quickly identify data necessary in,for example, mutual authentication on the basis of a public keycertificate after person authentication for a service provider on thebasis of a person identification certificate.

[8. Using a Content on the Basis of Person Identification Certificate(IDC) and Public Key Certificate (PKC)]

A process of performing person authentication on the basis of a personidentification certificate (IDC) and receiving (downloading) a contentsuch as music data or image data from a service provider is describedbelow with reference to specific examples.

As can be understood from the above description, to perform personauthentication on the basis of a person identification certificate, thesystem is required to be capable of comparing sampling information witha template and outputting the comparison result. Herein, a system isdescribed which includes a user device used by a user as a contentreproducing device and also includes a mechanism of comparing samplinginformation with a template, and which also has the capability ofdownloading a content from a service provider via a network dependingupon the comparison result, performing user registration in a serviceprovider, making a contract therewith, and erasing user registrationtherefrom, and requesting a person identification certificate authority(IDA) to issue a person identification certificate (IDC). The associatedprocesses are also described below.

FIG. 53 is a diagram illustrating a configuration of a user devicecapable of performing person authentication and reproducing a content. Auser device 500 includes a contents reproducing mechanism 501, acontents data storage unit 502, a user identifying apparatus 503, anetwork connection unit 504, a public key encryption unit 505, aselection unit 506, and an input/output unit 507.

The contents reproducing mechanism 501 is capable of reproducing acontent by reading data from the contents data storage unit. Thecontents data storage unit 502 serves to download content data via anetwork and store it therein. The user identifying apparatus 503 servesto input sampling information used to identify an user and convert theinput sampling information into digital data and also serves to verifythe sampling information by comparing the converted digital data with atemplate which has already been registered. The network connection unit504 serves to make a connection to a user device via a network. Thepublic key encryption unit 505 serves to add a signature to specifieddata, decrypt specified encrypted data, encrypt specified data, create apair of a public key and a private key, and make a link between anarbitrary public key certificate and certain data. The public keyencryption unit 505 is built in the form of a SAM (Secure ApplicationModule). The selection unit 506 serves to select data in a reproducingoperation, select a party to which a connection via a network is to bemade, and select a content title to be downloaded. The input/output unit507 serves as a user interface. More specifically, the input/output unit507 controls a display device and an input device so that specifiedinformation is displayed or information input by a user is convertedinto data having a processable form.

The public key encryption unit 505 of the user device 500 stores apublic key certificate (PKC) and a person identification certificate(IDC), wherein the public key certificate (PKC) and the personidentification certificate (IDC) are described in a mutually linked dataformat such that either one of the public key certificate (PKC) and theperson identification certificate (IDC) can be pointed to by the otherone. The specific manner of forming the link has been described above in[Link Between Person Identification Certificates (IDC) and Public KeyCertificates (PKC)]. A user executes a user authentication process usinga person identification certificate (IDC) stored in the public keyencryption unit 505, and the user uses a public key certificate (PKC) intransaction with a service provider.

(Downloading of Content)

A process is described below which is performed by a user deviceconstructed in the above-described manner to download a content such asmusic data or image data from a service provider and reproduce it,depending upon the result of comparison/verification of samplinginformation with a template. FIG. 54 illustrates a flow of data in thecontents downloading process, wherein the details of the flow are shownin the FIGS. 55, 56, and 57. The process is described below withreference to these figures. Note that in the following description, theprocess numbers shown in FIG. 54 are denoted by (n) and the step numbersin FIGS. 55 to 57 are denoted by (Snnn).

(1) First, to use a device, a user inputs sampling data such asfingerprint information into the device (S301). (2) In order to comparethe input sampling data with a template of a person identificationcertificate (IDC) which has already been stored in the SAM, the useridentifying apparatus requests the SAM to provide the personidentification certificate (IDC) (S302).

(3) The SAM retrieves the requested person identification certificate(IDC) on the basis of the link information and returns the retrieved IDCor a template extracted from the IDC to the user identifying apparatus(S303 to S305). (4) The user identifying apparatus compares the samplingdata with the template (S306). If the comparison result is affirmative,that is, if the user is verified as an authorized user, the user and thenetwork connection unit are informed of the success of the userverification (S307, S308). Only when the user verification isaffirmative, the network connection unit prepares for connection via thenetwork (S309).

(5) The user specifies desired data to be reproduced, via the interfaceprovided by the input/output unit (S310, S311). (6) The selection unitconverts the command accepted via the interface so as to generate acommand for controlling the network connection unit (S311, S312) andtransmits the control command to the network connection unit (S313).

(7) The network connection unit requests the public key encryption unitto provide a public key certificate (PKC) necessary in transaction ofcontent data (S314 to S316). (8) The public key encryption unittransmits the requested public key certificate (PKC) to the networkconnection unit (S317). In this process, as required, the public keyencryption unit retrieves the requested PKC by examining the IDC-PKClink and returns the retrieved PKC to the network connection unit.

(9) The network connection unit accesses a contents data providingserver via a local network or the Internet (S318). Mutual authenticationbetween the device and the server is performed on the basis of publickey certificates, and a shared session key is created therebyestablishing a secret communication path (S319). In FIG. 54, processes(9-1) to (9-8) are performed when a user communicates with a server inan interactive fashion to receive a service, wherein these processes areperformed as many times as required (S320, S321). Data is transmittedfrom the contents providing server to the user via the processes (9-1)to (9-4), and data is transmitted from the user to the contentsproviding server via the processes (9-5) to (9-8). In this datatransmission/reception, it is desirable that data be encrypted asrequired using the session key, signatures be added using the respectiveprivate keys, and the signatures be verified using the public key.

(10) After completion of transmission of all data, the networkconnection unit downloads requested content data from the contentsproviding server (S322). (11) The network connection unit transfers thedownloaded content data to the contents data storage unit to store ittherein (S323), and the session is ended (S324).

(12) In the case where reproducing of data is requested by the user, thecontent data is transferred to the contents reproducing unit (Yes inS325). (13) The user executes an operation for reproducing the contentusing the contents reproducing mechanism (S326), and uses the contentvia the input/output unit.

The flow of downloading and reproducing a content has been describedabove. Note that the process described above is performed in an easysituation in which a public key certificate (PKC) and a personidentification certificate (IDC) are used when a content is downloaded,and these two certificates are stored in the SAM. FIGS. 55 to 57 alsoshow processes which are performed when there is no certificate or whena certificate is not required. The processes performed in suchsituations are described below.

In FIG. 56, steps S328 to S332 are performed when a personidentification certificate (IDC) corresponding to a user is not found ina user device. In this case, the user device displays a message via aninput/output unit to inform the user that the IDC is not found (S328)and to request the user to determine whether or not to make a requestfor issuing an IDC (S329). In the case where the user inputs a commandindicating that the user does not want the request to be made, the userdevice informs the user that the downloading has failed (S332). On theother hand, if the user inputs a command indicating that the user wantsthe request for issuing an IDC to be generated, the user deviceterminates the process of downloading the content and informs the uservia the input/output unit that a process of generating a request forissuing an IDC is started (S330). Thereafter, the user device executesthe process of generating a request for issuing an IDC (S331). Thedetails of this process have been described above in [Registration andChange of Template and Person Identification Certificate (IDC)].

In FIG. 57, step S333 and steps following that are performed when thepublic key certificate (PKC) is not stored in the user device. Ifacquisition of a public key certificate (PKC) from a certificateauthority (CA) located outside is wanted (S333), it is determinedwhether the public key certificate (PKC) has already been registered(S334). If the registered public key certificate (PKC) is found, thepublic key certificate (PKC) is acquired from the certificate authority(CA) and stored in the user device (S335).

If the registered public key certificate (PKC) is not found, it isrequired to newly issue a public key certificate (PKC). In this case, apair of a public key and a private key is generated and a request fornewly issuing a public key certificate (PKC) is sent to a registrationauthority (RA), that is, an agency which issues public key certificates(PKCs) (S336). If a public key certificate (PKC) has been newly issued,group information indicating a link to a person identificationcertificate (IDC) is generated, and the public key certificate is stored(S338). However, the link information may be stored in various mannersas described earlier, and thus the above-described process of generatingand storing the group information is not necessarily required if thecertificate includes link data therein.

Step S339 and steps following that are performed when issuing of thepublic key certificate (PKC) is refused. In this case, the user deviceinforms the user via the input/output unit that downloading has failedand the user device terminates the process.

(User Registration, Erasure of User Registration, and Making ServiceContract)

Now, there is described a process associated with user registration in aservice provider which provides various services such as providing ofcontents, selling of goods, and settlement, erasure of userregistration, and making a service contract. Herein, it is assumed thatthe above process is performed in accordance with user authentication bymeans of comparison of a template with sampling information, performedby a user identifying apparatus included in a user device shown in FIG.53. FIG. 58 illustrates a flow of data in user registration, erasure ofuser registration, and making a service contract, wherein the details ofthe flow are shown in the FIGS. 63, 64, and 65. The process is describedbelow with reference to these figures. Note that in the followingdescription, the process numbers shown in FIG. 58 are denoted by (n) andthe step numbers in FIGS. 59 to 61 are denoted by (Snnn).

(1) First, to use a device, a user inputs sampling data such asfingerprint information into the device (S401). (2) In order to comparethe input sampling data with a template of a person identificationcertificate (IDC) which has already been stored in the SAM, the useridentifying apparatus requests the SAM to provide the personidentification certificate (IDC) (S402).

(3) The SAM retrieves the requested person identification certificate(IDC) on the basis of the link information and returns the retrieved IDCor a template extracted from the IDC to the user identifying apparatus(S403 to S405). (4) The user identifying apparatus compares the samplingdata with the template (S306). If the comparison result is affirmative,that is, if the user is verified as an authorized user, the user and thenetwork connection unit are informed of the success of the userverification (S407, S408). Only when the user verification isaffirmative, the network connection unit prepares for connection via thenetwork (S409).

(5) The user inputs data corresponding to a process to be performed, viathe interface provided by the input/output unit. More specifically, inthe case of user registration, data indicating a desired site to beregistered is input. Data indicating a site the registration of which isto be erased is input in the case of erasure of user registration. Inthe case of making a contract, data indicating a desired site a contractof which is to be made is input (S410). (6) The selection unit convertsthe command accepted via the interface so as to generate a command forcontrolling the network connection unit and transmits the controlcommand to the network connection unit (S411).

(7) The network connection unit requests the public key encryption unitto provide a public key certificate (PKC) necessary in transaction ofcontent data (S412). (8) The public key encryption unit transmits therequested public key certificate (PKC) to the network connection unit(S413 to S415). In this process, the public key encryption unitretrieves the requested PKC by examining the IDC-PKC link and returnsthe retrieved PKC to the network connection unit.

(9) The network connection unit accesses a service registration serveror a user registration server via a local network or the Internet(S416). Mutual authentication between the device and the server isperformed on the basis of public key certificates, and a shared sessionkey is created thereby establishing a secret communication path (S417).In FIG. 58, processes (9-1) to (9-8) are performed when a usercommunicates with a server in an interactive fashion to receive aservice, wherein these processes are performed as many times as required(S418, S419). Data is transmitted from the service registration serveror the user registration server to the user via the processes (9-1) to(9-4), and data is transmitted from the user to the service registrationserver or the user registration server via the processes (9-5) to (9-8).In this data transmission/reception, it is desirable that data beencrypted as required using the session key, signatures be added usingthe respective private keys, and the signatures be verified using thepublic key.

(10) After completion of transmission of all data, the networkconnection unit downloads necessary data from the service registrationserver or the user registration server (S420). (11) If the process (userregistration, erasure of user registration, making a contract) has beensuccessfully completed, the network connection unit informs the publickey encryption unit of the success of the process. Furthermore, ifrequired, necessary information is added to the link information (groupinformation) indicating the link between person identificationcertificates (IDCs) and the public key certificates (PKCs) (S422, 423).However, the link information may be stored in various manners asdescribed earlier, and thus the above-described process of generatingand storing the group information is not necessarily required if thecertificate includes link data therein. (12) After completion of theabove process, the result of the process is displayed via theinput/output unit, and the process is ended (S424, S425).

The flow of the process has been described above which is performed inconnection with the service provider, such as user registration, erasureof user registration, making a service contract, in which userauthentication is performed on the basis of a person identificationcertificate (IDC). Note that the process described above is performed inan easy situation in which a public key certificate (PKC) and a personidentification certificate (IDC) are used, and these two certificatesare stored in the SAM. FIGS. 60 to 62 also show processes which areperformed when there is no certificate or when a certificate is notrequired. The processes performed in such situations are describedbelow.

In FIG. 60, steps S426 to S430 are performed when a personidentification certificate (IDC) corresponding to a user is not found ina user device. In this case, the user device displays a message via aninput/output unit to inform a user that the IDC is not found (S426) andto request the user to determine whether or not to make a request forissuing an IDC (S427). In the case where the user inputs a commandindicating that the user does not want the request to be made, the userdevice informs the user that the process has failed (S430). On the otherhand, if the user inputs a command indicating that the user wants therequest for issuing an IDC to be generated, the user device terminatesthe process of downloading the content and informs the user via theinput/output unit that a process of generating a request for issuing anIDC is started (S428). Thereafter, the user device executes the processof generating a request for issuing an IDC (S429). The details of thisprocess have been described above in [Registration and Change ofTemplate and Person Identification Certificate (IDC)].

In FIG. 61, step S431 and steps following that are performed when thepublic key certificate (PKC) is not stored in the user device. Ifacquisition of a public key certificate (PKC) from a certificateauthority (CA) located outside is wanted (S431), it is determinedwhether the public key certificate (PKC) has already been registered(S432). If the registered public key certificate (PKC) is found, thepublic key certificate (PKC) is acquired from the certificate authority(CA) and stored in the user device (S443).

If the registered public key certificate (PKC) is not found, it isrequired to newly issue a public key certificate (PKC). In this case, apair of a public key and a private key is generated and a request fornewly issuing a public key certificate (PKC) is sent to a registrationauthority (RA), that is, an agency which issues public key certificates(PKCs) (S434). If a public key certificate (PKC) has been newly issued,group information indicating a link to a person identificationcertificate (IDC) is generated, and the public key certificate is stored(S436). However, the link information may be stored in various mannersas described earlier, and thus the above-described process of generatingand storing the group information is not necessarily required if thecertificate includes link data therein.

Steps S437 and S438 are performed when user registration, erasure ofuser registration, or making a service contract is refused. In thiscase, the user device informs the user via the input/output unit thatthe process has failed and the user device terminates the process. StepsS439 and S440 are performed when issuing of a new public key certificate(PKC) is refused. In this case, the user device informs the user via theinput/output unit that the process has failed and the user deviceterminates the process.

(Request for a Person Identification Certificate (IDC) to be Stored in aDevice and Registration Process)

A process of issuing and registering a person identification certificate(IDC) which is to be stored in a user device including a useridentifying apparatus shown in FIG. 53 is described below. FIG. 62illustrates a flow of data in the process of making a request for aperson identification certificate (IDC) to be stored in the user device,wherein the details of the flow are shown in the FIGS. 63, 64, and 65.The process is described below with reference to these figures. Notethat in the following description, the process numbers shown in FIG. 62are denoted by (n) and the step numbers in FIGS. 63 to 65 are denoted by(Snnn).

(1) First, to use a device, a user inputs sampling data such asfingerprint information into the device (S501). (2) In order to comparethe input sampling data with a template of a person identificationcertificate (IDC) which has already been stored in the SAM, the useridentifying apparatus requests the SAM to provide the personidentification certificate (IDC) (S502). Herein, it is assumed thatthere are n person identification certificates (IDCs) which have beenissued to the user device and a process is performed to generate arequest for issuing a new person identification certificate (IDC)including a template. Note that n=0 in the case where the user devicedoes not have any person identification certificate (IDC).

(3) The user device sequentially retrieves n person identificationcertificates (IDCs) which have been already stored, and returns theretrieved IDCs or templates extracted from the IDCs to the useridentifying apparatus (S503 to S505). (4) The user identifying apparatuscompares the sampling data with the templates (S506). If the samplingdata matches with a template, and thus if it is determined that the useris an authorized user, the user is informed of the success of the userauthentication (S507, S508). However, in this specific example, it isassumed that the sampling data does not match with the template of anystored person identification certificate (IDC), and thus a request fornewly issuing a person identification certificate (IDC) includingtemplate information is generated. That is, in the case where even whenthe sampling data has been compared with the templates of all storedIDCs, any IDC does not have a template which matches with the samplingdata, the process goes to step S509.

If a person identification certificate (IDC) including a template whichmatches the sampling information is not found in the user device, theuser device displays a message via an input/output unit to inform a userthat the IDC is not found (S509) and to request the user to determinewhether or not to make a request for issuing an IDC (S510). In the casewhere the user inputs a command indicating that the user does not wantthe request to be made, the user device informs the user that theprocess has failed (S512). On the other hand, if the user inputs acommand indicating that the user wants the request for issuing an IDC tobe generated, the user device informs the user via the input/output unitthat a process of generating a request for issuing an IDC is started(S511).

In FIG. 64, step S513 and the following steps are performed to issue apublic key certificate (PKC) used in a process of issuing personidentification certificate (IDC).

In step S513, it is determined whether a public key certificate (PKC) isnecessary in the process of issuing a person identification certificate(IDC). If the PKC is not necessary, the process goes to step S514 toacquire the identification number of the public key certificate (PKC)from an IDC or a PKC or link information (group information) stored inthe public key encryption unit of the user device. (9) If the public keycertificate (PKC) is found (Yes in S516), the public key certificate(PKC) is transferred to the public key encryption unit (S516), apreparation for connection with an IDRA (registration authority whichissues a person identification certificate (IDC)) (S517), andinformation necessary to issue the person identification certificate(IDC) is input (S518).

If acquisition of a public key certificate (PKC) from a certificateauthority (CA) located outside is wanted (S520), it is determinedwhether the public key certificate (PKC) has already been registered(S521). If the registered public key certificate (PKC) is found, thepublic key certificate (PKC) is acquired from the certificate authority(CA) and stored in the user device (S522).

If the registered public key certificate (PKC) is not found, it isrequired to newly issue a public key certificate (PKC). In this case, apair of a public key and a private key is generated (FIG. 62(5)) and arequest for newly issuing a public key certificate (PKC) is sent to aregistration authority (RA), that is, an agency which issues public keycertificates (PKCs) (FIG. 62(6),(7)) (S336). In the case where a publickey certificate (PKC) has been newly issued (FIG. 62(8)) (Yes in S524),group information indicating a link to the person identificationcertificate (IDC) is generated and the public key certificate is stored(S525). However, the link information may be stored in various mannersas described earlier, and thus the above-described process of generatingand storing the group information is not necessarily required if thecertificate includes link data therein.

FIG. 65 shows a process in which a person identification certificate(IDC) is issued by communicating with an IDRA (registration authoritywhich accepts registration of issuing of a person identificationcertificate (IDC)).

(10) To acquire a person identification certificate (IDC) linked to thepublic key certificate (PKC), the public key encryption unit of the userdevice transfers the address of the IDRA and the sampling data (or theuser name) to the network connection unit. Herein, it is assumed thatthe off-line procedure necessary for issue of the person identificationcertificate (IDC) has already been performed. If information (such assampling data, PIN, or user name) is further necessary to compare withinformation (personal information) which has been registered in theoff-line procedure and which is used by the IDRA to retrieve the IDC ofthe user, the information is also transferred at the same time to thenetwork connection unit.

(11) The network connection unit of the user device makes a connectionto the IDRA via a local network or the Internet (S526). Mutualauthentication between the device and the IDRA is performed on the basisof public key certificates, and a shared session key is created therebyestablishing a secret communication path (S527). The user devicetransmits necessary information (such as sampling data, PIN, name,address, or telephone number) to the IDRA. An interactive communicationprocess between the user and the IDRA is performed as represented by(11)-1 to (11)-8 in FIG. 62. (11)-1 to (11)-4 are steps performed totransmit data from the IDRA to the user, and (11)-5 to (11)-8 are stepsperformed to transmit data from the user to the IDRA. In this datatransmission/reception, it is desirable that data be encrypted asrequired using the session key, signatures be added using the respectiveprivate keys, and the signatures be verified using the public key. Inthe case where the person identification certificate (IDC) to be issuedwill include a template encrypted with the public key of the userdevice, the user device transmits the public key (public keycertificate) to the IDRA.

After completion of transmission of all data, the network connectionunit downloads necessary data and the result of the IDC issuing request(S530). (12) The IDRA verifies the IDC issuing request received from theuser device. If it is determined that the request is valid, the IDRArequests an IDCA, which executes an IDC issuing procedure, to issue anIDC. The person identification certificate (IDC) issued by the IDCA istransmitted to the user device via the IDRA.

(13) Upon receiving the person identification certificate (IDC), theuser device transmits the person identification certificate (IDC) to thepublic key encryption unit. (14) The public key encryption unitgenerates link information (group information) indicating the linkbetween the person identification certificate (IDC) and the public keycertificate (PKC) (S532) and updates the link information (groupinformation) (S533). However, the link information may be stored invarious manners as described earlier, and thus the above-describedprocess of generating and storing the group information is notnecessarily required if the certificate includes link data therein. (15)After completion of the above process, the result of the IDC issuerequest process is displayed via the input/output unit, and the processis ended (S534, S535).

Steps S536 and S537 are performed when issuing of the public keycertificate (PKC) is refused. In this case, the user device informs theuser via the input/output unit that the process has failed and the userdevice terminates the process. Steps S538 and S539 are performed whenissuing of a new public key certificate (PKC) is refused. In this case,the user device informs the user via the input/output unit that theprocess has failed and the user device terminates the process.

[9. One-Time Public Key Certificate (One-Time PKC)]

Now, a process performed by a certificate authority (CA) to issue apublic key certificate (PKC) in accordance with user authenticationusing a template of a person identification certificate authority (IDA)is described. Hereinafter, a public key certificate issued in such amanner is referred to as a one-time PKC. A one-time PKC is issued, forexample, when a user wants to perform a transaction such as acquisitionof a content from a service provider with which the user has not made acontract, wherein after performing user authentication on the basis of aperson identification certificate (IDC) which has already beenregistered in the person identification certificate authority (IDA), theone-time PKC is issued without performing a rigorous examination of thecertificate authority (CA). The one-time PKC is not regarded as anofficial public key certificate but regarded as valid only in aparticular transaction such as a one-time transaction.

FIG. 66 illustrates a procedure of issuing a one-time PKC. The processproceeds in the order of the numbers shown in FIG. 66. FIG. 67 is a flowchart illustrating the details of the procedure of issuing a one-timePKC. The process of issuing a one-time PKC is described below withreference to FIGS. 66 and 67.

First, an user, who wants to generate a request for issuing a one-timePKC, inputs sampling data such as fingerprint data to an identificationrequest apparatus (FIG. 67, S201). The identification request apparatusgenerates a pair of the public key and the private key of the user whoinput the sampling data and employing it as a one-time PKC key set(S202).

Thereafter, the identification request apparatus performs mutualauthentication with a person identification certificate authority (IDA)(S203). Provided that the mutual authentication is passed, theidentification request apparatus transmits the sampling data, thegenerated public key, and the user identification data to the personidentification certificate authority (IDA). In the transmission of thedata, it is desirable that the data be encrypted using the session key,and a signature be attached to the data.

Upon receiving the data from the certificate requesting apparatus, theperson identification certificate authority (IDA) extracts a templatefrom the person identification certificate (IDC) which is identified bythe user identification data and which has already been registered andcompares the received sampling data with the extracted template forverification (S205). Thereafter, the person identification certificateauthority (IDA) retrieves the user ID from a database (S206) andperforms mutual authentication between the person identificationcertificate authority (IDA) and the certificate authority (CA) (S207).Provided that the mutual authentication is successfully passed, theperson identification certificate authority (IDA) transmits the user IDand the public key to the certificate authority (CA) (S208). Also inthis data transmission, it is desirable that data be encrypted and asignature be attached to the data.

The certificate authority (CA) generates a public key certificatecorresponding to the received public key as a one-time PKC and updatesthe issue history (S209, 210). The certificate authority (CA) transmitsthe generated one-time PKC to the certificate requesting apparatus viathe person identification certificate authority (IDA) (S211).

Using the received one-time PKC, for example, the certificate requestingapparatus requests a service provider to provide a service. Morespecifically, the certificate requesting apparatus adds a signatureencrypted with the generated private key to, for example, a contentrequest data or a settlement request data and transmits it together withthe public key certificate (one-time PKC) to the service provider.

The service provider extracts the public key certificate (one-time PKC)from the received data, further extracts the public key of the user, andverifies the signature using the public key, thereby verifying theservice request (S215). If the verification is successfully passed, theservice provider provides the requested service (S215). Upon receivingthe service, the certificate requesting apparatus deletes the public keyand the private key generated in the certificate requesting apparatusand also deletes the issued one-time PKC (S216). Alternatively, only thepublic key certificate in the form a one-time PKC may be deleted withoutdeleting the public key and the private key.

The sequence of steps shown in FIG. 67, that is, the process from stepS201 in which sampling data is transmitted to step S216 in which data isdeleted, is automatically executed in accordance with a particularprocessing program which may be provided by the service provider. Thus,the one-time PKC transmitted to the certificate requesting is deletedfrom the certificate requesting apparatus when the process is completed,thereby ensuring that the one-time PKC is prevented from being used foranother transaction. However, it is not necessarily required to deletethe one-time PKC, but the one-time PKC may be used repeatedly forparticular limited transactions.

As described above, the template serving as user identification data ofthe user who generates a request for issuing a public key certificate(one-time PKC) is acquired from the person identification certificateand compared with the sampling information to verify the authenticity ofthe user, and, provided that the user authentication is successfullypassed, the public key certificate of the user is issued, thereby makingit possible to quickly issue the public key certificate via a simplifiedissuing procedure.

Furthermore, user authentication is performed at the personidentification certificate authority, the certificate authorityresponsible for issuing public key certificates (one-time PKCs) issues apublic key certificate, provided that the user authentication issuccessfully passed, thereby allowing a reduction in a processing loadin terms of the user authentication upon the certificate authority.

Furthermore, because a public key certificate (one-time PKC), which isissued to a user provided that user authentication performed by a personidentification certificate authority by comparing user's samplinginformation with a template stored in a person identificationcertificate is successfully passed, is deleted when the usage of thepublic key certificate by an information processing apparatus which hasreceived the public key certificate (one-time PKC) is completed, it isensured that the public key certificate (one-time PKC) issued via theuser authentication performed by the person identification certificateauthority can be used only for the particular purpose specified when theone-time PKC is issued.

[10. Verification Certificate]

When a template of a person identification certificate and samplinginformation match with each other in a verification process, a personidentification certificate authority (IDA) certifies that a person whohas provided the sampling information is the person corresponding to theperson identification certificate. In the examples described above, theverification result is given in the form of a message indicating eitherOK or NG. Alternatively, the person identification certificate authority(IDA) may issue a verification certificate indicating that userauthentication has been successfully passed. The process of issuing theverification certificate is described below.

FIG. 68 illustrates a first usage manner in which a verificationcertificate is used. In FIG. 68, the process proceeds in the order ofnumbers from 1 to 10. The further detailed flow is shown in FIG. 69. Theprocess is described below with reference to FIGS. 68 and 69.

When a user wants to be subjected to person authentication, the userfirst transmits sampling data to a person certificate requestingapparatus (FIG. 69, S101). Herein, the person certificate requestingapparatus is, for example, a user device or a system capable ofcommunicating with a service provider.

Thereafter, the person certificate requesting apparatus performs mutualauthentication with a person identification certificate authority (IDA)(S102). Provided that the mutual authentication is successfully passed,the user certificate requesting apparatus transmits sampling data andthe identifier (ID) of the person certificate requesting apparatus tothe person identification certificate authority (IDA) (S103). In thisdata transmission, it is desirable that the data is encrypted using asession key generated in the authentication process or using the publickey of the person identification certificate authority (IDA). If themutual authentication fails, error handling is performed (S122), but thefollowing process is not performed.

Thereafter, the person identification certificate authority (IDA)extracts a template of the person identification certificate (IDC) ofthe user subjected to the person authentication, stored in a database ofthe person identification certificate authority (IDA) and compares itwith the received sampling data. If the verification fails, thefollowing process is not performed.

The person identification certificate authority (IDA) extracts theidentifier (ID) of the user subjected to the person authentication fromthe database of the person identification certificate authority(IDA)(S105) and generates a verification certificate on the basis of theID of the user whose authentication has been successfully passed (S106).Furthermore, the person identification certificate authority (IDA)updates the history of issuing verification certificates, that is,writes data indicating the date of issuing the certificate and thevalidity period thereof into the verification certificate issue history(S107). Thereafter, the person identification certificate authority(IDA) issues the verification certificate to the person certificaterequesting apparatus.

Furthermore, the process described below is performed when the userrequests a service provider to provide a service, using the issuedverification certificate. The user, who has received the issuedverification certificate, adds a signature to the verificationcertificate and to an electronic message such as service request dataand further attaches the public key certificate thereby generating aservice request (S109). The generated service request is transmitted tothe service provider (S110).

The service provider extracts the public key from the received publickey certificate and verifies the signature (S111). If it is determinedthat the data has not been tampered with, the service provider providesa service to the user (S112). Upon receiving the service, the personcertificate requesting apparatus deletes the verification certificate(S113).

The sequence of steps shown in FIG. 69, that is, the process from stepS101 in which sampling data is transmitted to step S113 in which theverification certificate is deleted, is automatically executed inaccordance with a particular processing program which may be provided bythe service provider. Thus, the verification certificate transmitted tothe person certificate requesting apparatus is deleted from the personcertificate requesting apparatus when the process is completed, therebyensuring that the certificate is prevented from being used for anotherpurpose. However, it is not necessarily required to delete thecertificate, but the certificate may be used repeatedly for particularlimited transactions.

FIG. 70 illustrates a second manner of using a verification certificate.In this example, unlike the example shown in FIG. 68, a service provideracquires a verification certificate of a user to whom a service is to beprovided.

A user, who wants to request a service provider to provide a service tothe user, generates a request data including a service request andsampling data such as fingerprint using a certificate requestingapparatus and writes a signature therein. Thereafter, mutualauthentication is performed between the certificate requesting apparatusand the service provider. If it is determined that the mutualauthentication has been successfully passed, the service providertransmits the generated request data.

Upon receiving the request data, the service provider verifies thesignature to check whether or not the data has been tampered with. If itis determined that the data has not been tampered with, mutualauthentication is performed between the person identificationcertificate authority (IDA) and the service provider. Thereafter, theservice provider transmits the sampling data received from the user andthe ID of the certificate requesting apparatus together with an attachedsignature of the service provider.

The person identification certificate authority (IDA) verifies thereceived data to confirm that the data has not been tampered with.Thereafter, the person identification certificate authority (IDA)compares the received sampling data with the template. If it isdetermined that they match with each other, the person identificationcertificate authority (IDA) generates a verification certificate.Furthermore, the person identification certificate authority (IDA)generates issue history data and stores it.

The generated verification certificate is transmitted to the serviceprovider. On the basis of the received verification certificate, theservice provider determines that the authenticity of the user who hasgenerated the service request has been certified, and the serviceprovider notifies the certificate requesting apparatus and the user thatthe requested service is to be provided. The service provider deletesthe verification certificate, and the process is ended.

FIG. 71 shows an example of a format of the verification certificate.Respective data items are described below.

Version indicates the version of the verification certificate format.

Serial Number indicates a serial number assigned by a personidentification authority (IDA) to a verification certificate.

In Signature algorithm Identifier algorithm parameter, the signaturealgorithm of the verification certificate and parameters thereof aredescribed. Either the elliptic curve cryptography or the RSA can be usedas the signature algorithm, wherein in the case where the elliptic curvecryptography is employed, parameters and the key length are described,while the key length is described in the case where the RSA is employed.

Issuer is a field in which the issuer of the verification certificate,that is, the name of the person identification certificate authority(IDA) is described in the form of a distinguished name.

Validity is a field to describe a period during which the certificate isvalid, wherein a start date and an expiration date are described.

Subject is a field in which the name of a subject or a user isdescribed. In this field, more specifically, the ID or the name of theuser is described.

In Subject IDA Info, person identification certificate information ofthe user, such as the certificate number of the person identificationcertificate and the unique ID of the person, is described.

In Subject PKC Infor, the public key certificate information of theperson to be certificated, such as the certificate number of the publickey certificate of the person to be certificated and the unique ID ofthe person of the public key certificate of the person to becertificate, is described.

The digital signature is data which is created by generating a hashvalue by applying a hash function to all fields of the certificate andthen encrypting the resultant hash value using the public key of theperson identification certificate authority (IDA).

As described above, the verification certificate includes the public keycertificate information and the person identification certificateinformation so that links to the public key certificate and the personidentification certificate can be formed. The identification data of theperson to be certified is also included.

[11. Downloading of Person Identification Certificate (IDC) and Usage ofa Content]

When a user uses a device in which a person identification certificate(IDC) of that user is not stored, the user can receive a service such asdistribution of a content by performing user authentication using aperson identification certificate (IDC) which has already beenregistered in a person identification certificate authority (IDA), as isdescribed below.

A user, who wants to receive various contents such as music data orimage data from a service provider, does not necessarily use a singleuser terminal (user device) but, in some cases, uses a plurality ofdevices. For example, the user may use a device installed in his/herhome, a device installed in a company, and a device which is opened foruse by a plurality of unspecified users.

To perform person authentication using the above-described personidentification certificate (IDC), it is required to access the personidentification certificate. For example, if a user device that a user Afrequently uses includes a person identification certificate (IDC),person authentication can be performed using the stored IDC. However, itis not realistic that the device installed in the company or the devicewhich is opened for use by a large number of unspecified users includeperson identification certificates (IDCs) of all possible users. In thedevice in such a situation, person authentication may be performed usingperson identification certificates (IDC) which have already beenregistered in a person identification certificate authority (IDA) toreceive a content in accordance with the person authentication, as isdescribed below.

FIG. 72 shows a process in which person authentication is performedusing a person identification certificate (IDC) which has already beenregistered in a person identification certificate authority (IDA), and,if the person authentication is successfully passed, a content isdistributed to the user. In FIG. 72, the process proceeds in the orderof numbers from 1 to 11. The further detailed flow is shown in FIGS. 73to 75. The process is described below with reference to FIG. 72 andFIGS. 73 to 75.

As shown in FIG. 72, a user A executes a process such as reception of acontent using a device A of the user A. To this end, the device Aincludes various certificates which are needed to receive a content.More specifically, a public key certificate (PKC) and a personidentification certificate (IDC) of the user A and also a public keycertificate (PKC) of the device A are stored in the user device A. Theuser A can execute a mutual authentication process using various PKCs asrequired and also can execute a person authentication process using theIDC.

Herein, it is assumed that the user A receives a service such asdistribution of a content using another device. In the specific exampleshown in FIG. 72, the user A uses a device B of a user B to receive aservice. A public key certificate (PKC) and a person identificationcertificate (IDC) of the user B and a public key certificate (PKC) ofthe device B are stored in the user device B. Although the user B canexecute mutual authentication and person authentication using thesecertificates, the user A, in some cases, cannot execute personauthentication or mutual authentication using only the certificatesstored in the device B. In such a case, the user A may receive a serviceof content distribution using the device B, if user authentication onthe basis of an IDC and mutual authentication on the basis of a PKC areperformed as described below.

When the user A wants to use the device B, the user A first accesses(activates) the device B (S801). To determine whether the access is froma user authorized to access the device B, the device B starts a personauthentication process (S802). Thus, the user A is requested to inputsampling information. In response, the user A inputs samplinginformation such as a fingerprint and a user ID to the device B (S803).The device B retrieves an IDC stored in a storage means in the device Bon the basis of the user ID or the sampling information (S804). In thisspecific case, the IDC corresponding to the user A is not stored in thedevice B, and thus the IDC is not found. In this case, the device Brequests a person identification certificate authority (IDA) to transmitthe IDC of the user A. In this process, the device B executes mutualauthentication with the person identification certificate authority(IDA) and transmits the user ID and the sampling information of the userA to the person identification certificate authority (IDA) afterencrypting them using a session key created during the mutualauthentication.

The person identification certificate authority (IDA) retrieves theperson identification certificate (IDC) of the user A from a database ofthe person identification certificate authority (IDA) and transmits theretrieved person identification certificate (IDC) to the device B. Theperson identification certificate (IDC) includes template informationwhich is stored in a form the device B can use. More specifically, forexample, the template is encrypted using the public key of the device B.The device B stores the received person n identification certificate(IDC) of the user A in a memory of the device B (S806).

The device B makes a comparison with the sampling data using the personidentification certificate (IDC) of the user A stored in the memory,that is, the device B performs person authentication (S807). If thecomparison fails, error handling is performed but the following processis not performed.

If the person authentication is successfully passed, the device Bretrieves a pair of a public key and a private key applicable to theservice provided by the service provider (S809). In the datacommunication with various users for the user authentication or forother purposes, the service provider encrypts the data using a pair of apublic key and a private key assigned to each user or each device. Inthis specific example, a pair of a public key and a private key solelyfor the user A is not stored in the device B, and thus the result of thedecision step S810 becomes negative (No). Thus, the device B creates anew pair of a public key and a private key (S811).

Thereafter, the device B transmits the generated public key to acertificate authority (CA) to request it to issue a public keycertificate, thereby acquiring the public key certificate (PKC) of theuser A. The acquired PKC is stored in the device B (S812).

The device B then forms a link between the person identificationcertificate (IDC) and the public key certificate (PKC) of the user A.More specifically, for example, the link is formed by creating groupinformation as is described earlier and stores it in the memory. In thisprocess, the link information (group information) is related to servicenames which are allowed to be used using the IDC and the PKC andregistered (S813). That is, to indicate which service provider or whichcontent provider the set of the IDC and the PKC can be used to receive aservice from, process identifiers such as provider identifiers orservice identifiers are registered together with the link information.

Thereafter, the device B performs mutual authentication with a serviceregistration server using the public key certificate (PKC) of the user A(S814). The service registration server is a server in which users ofone or more service providers (such as a content distribution server)are registered. More specifically, public key certificates (PKCs) ofrespective users are registered so as to make it possible for a serviceprovider connected to the service registration server to perform, usingthe registered PKCS, various encryption processes which are needed in,for example, authentication when a service is provided.

If the mutual authentication with the service registration server issuccessfully passed, authentication of the user A for the serviceregistration server is performed using the person identificationcertificate (IDC) of the user A (S816). After completion of these steps,the service registration server registers the public key certificate(PKC) of the user A (S818). Note that, in the above process, the personauthentication is executed as required, and it is not necessarilyneeded. For example, when a content is distributed, personauthentication may be performed by a content distribution server.

The device B receives from the service registration server a messageindicating that the public key certificate (PKC) of the user A has beenregistered, and furthermore the device B receives information aboutservices which are available using the registered public key certificate(PKC) of the user A and also receives PKCs of content distributionservers (S819).

The following process is performed when a content is received from acontent distribution server. In step S820, mutual authentication isperformed using the PKC of the content distribution server and the PKCof the user A. If the mutual authentication is successfully passed,distribution of a content is performed (S822). In the above process, inresponse to receiving a request for a content from the device B, thecontent distribution server checks whether the PKC used in the mutualauthentication performed in response to the request for the content isregistered as a PKC for using the content in the service registrationserver. Only when the PKC is determined to be usable for the content,the distribution of the content is performed. In this specific example,because the public key certificate (PKC) of the user A has already beenregistered in the service registration server, the request for thecontent is accepted and the distribution of the content is performed.

As described above, even when a person identification certificate (IDC)and a public key certificate (PKC) of a user are not stored in a device,a user can receive a service from a service provider by downloading anIDC registered in the person identification certificate authority (IDA)into the device, receiving a public key certificate (PKC) from acertificate authority (CA) using a pair of a public key and a privatekey generated by the device, performing person authentication on thebasis of the IDC, performing mutual authentication on the basis of thePKC, and performing encryption of data.

The process performed using the person identification certificate (IDC)and the public key certificate (PKC) assigned to a user has beendescribed above. Now, a process performed using a person identificationcertificate (IDC) assigned to a user and a public key certificate (PKC)assigned to a device is described below.

FIG. 76 shows a process in which person authentication is performedusing a person identification certificate (IDC) assigned to a user and apublic key certificate (PKC) assigned to a device and also using aperson identification certificate (IDC) which has already beenregistered in a person identification certificate authority (IDA), andthen a content is distributed to the user using the public keycertificate (PKC) assigned to the device. In FIG. 76, the processproceeds in the order of numbers from 1 to 6. The further detailed flowis shown in FIGS. 77 to 78. The process is described below withreference to FIG. 76 and FIGS. 77 to 78.

As shown in FIG. 76, a user A usually executes a process such asreception of a content using a device A of the user A. To this end, thedevice A includes various certificates which are needed to receive acontent. More specifically, a public key certificate (PKC) and a personidentification certificate (IDC) of the user A and also a public keycertificate (PKC) of the device A are stored in the user device A. Theuser A can execute a mutual authentication process using various PKCs asrequired and also can execute a person authentication process using theIDC.

Herein, it is assumed that the user A receives a service such asdistribution of a content using another device. In the specific exampleshown in FIG. 76, the user A uses a device B of a user B to receive aservice. A person identification certificate (IDC) of the user B and apublic key certificate (PKC) of the device B are stored in the userdevice B. Although the user B can mutual authentication and personauthentication using these certificates, the user A cannot executeperson authentication using only the certificates stored in the deviceB. Even in such a case, the user A can receive a content using thedevice B by performing a process shown in FIG. 77 and the followingfigure, in which person authentication is performed using an IDC andmutual authentication is performed using a PKC.

When the user A wants to use the device B, the user A first accesses(activates) the device B (S851). To determine whether the access is froma user authorized to access the device B, the device B starts a personauthentication process (S852). Thus, the user A is requested to inputsampling information. In response, the user A inputs samplinginformation such as a fingerprint and a user ID to the device B (S853).The device B retrieves an IDC stored in the device B on the basis of theuser ID or the sampling information (S854). In this specific case, theIDC corresponding to the user A is not stored in the device B, and thusthe IDC is not found. In this case, the device B requests a personidentification certificate authority (IDA) to transmits the IDC of theuser A. In this process, the device B executes mutual authenticationwith the person identification certificate authority (IDA) and transmitsthe user ID and the sampling information of the user A to the personidentification certificate authority (IDA) after encrypting them using asession key created during the mutual authentication.

The person identification certificate authority (IDA) retrieves theperson identification certificate (IDC) of the user A from a database ofthe person identification certificate authority (IDA) and transmits theretrieved person identification certificate (IDC) to the device B. Theperson identification certificate (IDC) includes template informationwhich is stored in a form the device B can use. More specifically, forexample, the template is encrypted using the public key of the device B.The device B stores the received person n identification certificate(IDC) of the user A in a memory of the device B (S856).

The device B makes a comparison with the sampling data using the personidentification certificate (IDC) of the user A stored in the memory,that is, the device B performs person authentication (S857). If theverification fails, an error is returned and the following process isnot performed.

If the person authentication is successfully passed, the device Bretrieves a pair of a public key and a private key applicable to theservice provided by the service provider (S859). In the datacommunication with various users for the user authentication or forother purposes, the service provider encrypts the data using a pair of apublic key and a private key assigned to each user or each device.Herein, a pair of a public key and a private key of the device B isusable. The device B performs mutual authentication with a serviceregistration server using the public key certificate (PKC) of the user A(S814). The service registration server is a server in which users ofone or more service providers (such as a content distribution server)are registered. More specifically, public key certificates (PKCs) ofrespective users are registered so as to make it possible for a serviceprovider connected to the service registration server to perform, usingthe registered PKCs, various encryption processes which are needed in,for example, authentication when a service is provided. Herein, it isassumed that the service registration server registers public keycertificates (PKCs) of respective devices, or public key certificates(PKCs) of respective devices and person identification certificates(IDCs) of respective users.

If the mutual authentication with the service registration server issuccessfully passed, authentication of the user A for the serviceregistration server is performed using the person identificationcertificate (IDC) of the user A (S862). After completion of the aboveprocess, the device B receives from the service registration server amessage indicating that services are now available and further receivesinformation about what services are available and also receives PKCs ofcontent distribution servers (S864).

The following process is performed when a content is received from acontent distribution server. In step S865, mutual authentication isperformed using the PKC of the content distribution server and the PKCof the device B. If the mutual authentication is successfully passed,distribution of a content is performed (S867). In the above process, inresponse to receiving a request for a content from the device B, thecontent distribution server checks whether the PKC used in the mutualauthentication performed in response to the request for the content isregistered as a PKC for using the content in the service registrationserver. Only when the PKC is determined to be usable for the content,the distribution of the content is performed. In this specific example,because the public key certificate (PKC) of the device B has alreadybeen registered in the service registration server, the request for thecontent is accepted and the distribution of the content is performed.

As described above, even when a person identification certificate (IDC)and a public key certificate (PKC) of a user is not stored in a device,a user can receive a service from a service provider by downloading anIDC registered in the person identification certificate authority (IDA)into the device, performing person authentication on the basis of theIDC using the public key certificate (PKC) of the device stored in thatdevice, performing mutual authentication on the basis of the PKC, andperforming encryption of data.

[12. Setting the Validity Period of Person Identification Certificate(IDC)]

As described above, a person identification certificate (IDC) includestemplate information for identifying a person, such as fingerprintinformation, a password, or other personal information. Although thetemplate information is encrypted, there is still a non-zero possibilitythat the template information may be decrypted or tampered with. Fromthis viewpoint, it is undesirable that there are a large number ofuncontrolled person identification certificates (IDCs). It is importantto control the person identification certificates (IDCs) which areissued by person identification certificate authorities (IDAs) and usedby user devices (UDs) or service providers (SPs).

Now, there is described a method of managing IDCs so as to prevent anIDC and a template from remaining in a state in which the IDC or thetemplate can be used for a limitless period, by setting the validityinformation of a person identification certificate (IDC), and moreparticularly, by setting the period during which the IDC is valid or themaximum number of times the IDC is allowed to be used. By setting thevalidity period, it becomes possible to examine a user at scheduledintervals, and it also becomes possible to easily check the validity ofa user to whom a person identification certificate (IDC) has issued.

FIG. 79 illustrates a person identification certificate (IDC) in whichvalidity information (expiration date and the number of times the IDC isallowed to be used) of the person identification certificate (IDC)) andalso the expiration date of template information stored in the IDC areset. A person identification certificate authority (IDA) 1001 issues aperson identification certificate (IDC) of an user and distributes it toan entity which executes person authentication, such as a serviceprovider (SP)1002 and a user terminal 1003. In the service provider (SP)1002 and the user terminal 1003, the person identification certificate(IDC) issued by the IDA is stored and is used in person authenticationin which sampling information given by a user is compared withinformation described in the IDC.

As shown in FIG. 79, the person identification certificate (IDC) issuedby the person identification certificate authority (IDA) 1001 includes“expiration date or number of times the IDC is allowed to be used” 1004and “expiration date of template” 1005, wherein a signature 1006 using aprivate key of the person identification certificate authority (IDA) isattached to the whole of the IDC. When a service provider 1002 or a userdevice 1003 receives a person identification certificate (IDC), theservice provider 1002 or the user device 1003 verifies the signature1006 using the public key of the person identification certificateauthority (IDA) 1001 to check whether or not the person identificationcertificate (IDC) has been tampered with.

The “expiration date or the number of times the IDC is allowed to beused” 1004 stored in the person identification certificate (IDC) is dataindicating the validity of the IDC itself. The expiration date or thenumber of times the IDC is allowed to be used is set by the personidentification certificate authority (IDA) 1001 which issues the personidentification certificate (IDC) and is stored in the IDC. Even for IDCsin which the template information of the same user is stored, the personidentification certificate authority (IDA) 1001 may set different“expiration date or the number of times the IDC is allowed to be used”depending upon service provider or user devices to which the IDCs areprovided. When a service provider or a user device performs personauthentication using an IDC, the “expiration date or the number of timesthe IDC is allowed to be used” stored in the person identificationcertificate (IDC) is verified before making a comparison with samplinginformation. Only when the expiration date or the number of times theIDC is allowed to be used is met, the comparison is performed.

The “expiration date of template” 1005 stored in the personidentification certificate (IDC) is data indicating the expiration dateof the template information stored in the IDC. The “expiration date oftemplate” is set by the person identification certificate authority(IDA) 1001 which issues the person identification certificate (IDC) orby a user himself/herself who provides personal data on the basis ofwhich the template information is generated. In the case where theexpiration date of the template information is set by an user, the usersends the expiration date information together with the personidentification data to the person identification certificate authority(IDA) 1001, which in turn sets the expiration date of the templateinformation in accordance with the received expiration date informationand stores it in the IDC. When a service provider or a user deviceperforms person authentication using an IDC, the “expiration date or thenumber of times the IDC is allowed to be used” stored in the personidentification certificate (IDC) and also the “expiration date oftemplate” of the template information are verified before comparingsampling information with the template stored in the IDC. Only when theexpiration date of the IDC and the expiration date of the template aremet, the comparison is performed.

FIGS. 80A and 80B illustrate manners of managing the “expiration date orthe number of times the IDC is allowed to be used” and the “expirationdate of template” of the template information stored in the personidentification certificate (IDC). FIG. 80A illustrates an example inwhich the expiration date of the IDC 1014 and the expiration date of thetemplate 1015 are stored, and FIG. 80B illustrates an example in whichthe number of times the IDC is allowed to be used 1017 and theexpiration date of the template 1015 are stored.

When a service provider or a user device stores into a storage devicethereof an IDC, shown in FIG. 80A, in which the expiration date of theIDC 1014 and the expiration date of the template 1015 are stored, theIDC is stored after verifying the signature 1016 of the IDC to confirmthat the data has not been tampered with. On the other hand, when personauthentication is performed using the stored IDC, the expiration date ofthe IDC 1014 and the expiration date of the template 1015 stored in theIDC are verified before making a comparison with sampling informationgiven by an user. Only in the case where the expiration dates have notbeen reached, the following process is performed. In the case whereeither expiration date has been exceeded, error handling is performedand the comparison with the sampling information is not performed.

When a service provider or a user device stores into a storage devicethereof an IDC, shown in FIG. 80B, in which the number of times the IDCis allowed to be used 1917 and the expiration date of the template 1015are stored, the IDC is stored after verifying the signature 1016 of theIDC to confirm that the data has not been tampered with. Furthermore,the SAM information indicating the count of usage of the IDC 1019 set inthe IDC is stored in a SAM (Secure Application Module) of the device. Inthe data stored therein, a signature 1018 is writhen using a private keyof the SAM so as to prevent the data from being tampered with. On theother hand, when person authentication is performed using the storedIDC, the expiration date of template 1015 stored in the IDC and also theSAM information indicating the count of times the IDC is used 1019stored in the SAM 1020 are verified before making a comparison withsampling information given by an user. Only when the expiration date ofthe template has not been reached and when the count of usage of the IDCis not equal to zero, the comparison is performed. If the expirationdate has been exceeded, or if the count of usage of the IDC is equal tozero, error handing is performed and the comparison with the samplinginformation is not performed. In the case where the comparison with thesampling information was performed, the count of usage of the IDC storedin the SAM is reduced (decremented) by one.

FIG. 81 illustrates a manner of managing the expiration date of the IDCand the expiration date of the template. First, a person identificationcertificate authority (IDA) 1001 which issues a person identificationcertificate (IDC) determines the rule of setting the expiration date ofthe IDC and the expiration date of the template. A user, who wants aperson identification certificate (IDC) to be issued, provides personidentification information and personal information needed to issue anIDC to the person identification certificate authority (IDA) 1001. Theperson identification certificate authority (IDA) 1001 performs userauthentication and verifies the data. If it is determined that the IDCissue request is valid, the person identification certificate authority(IDA) newly issues a person identification certificate (IDC). In thecase where the process is performed online, mutual authentication isperformed, a signature is added to data to be transmitted, andverification is performed. When a user wants to specify the expirationdate of the template, the user sends his/her personal information to theIDA and furthermore informs the IDA of the desired date to be set as theexpiration date. The IDA sets the expiration date of the template in theIDC in accordance with the specified date.

When a service provider 1002 has a transaction with an user, the serviceprovider 1002 requests a person identification certificate authority(IDA) 1001 to issues an IDC for use in user authentication. The personidentification certificate authority (IDA) 1001 issues to the serviceprovider 1002 a person identification certificate (IDC) in which theexpiration date of the IDC and the expiration date of the template areset. The issued person identification certificate (IDC) includes asignature written using a private key of the person identificationcertificate authority (IDA) 1001. When communication is performedbetween the service provider 1002 and the person identificationcertificate authority (IDA) 1001, mutual authentication is performed, asignature is added to data to be transmitted, and verification isperformed.

After verifying the signature using the public key, stored in theservice provider 1002, of the person identification certificateauthority (IDA) 1001, the service provider 1002 stores the IDC in amemory. To authenticate an user, the IDC expiration date and thetemplate expiration date described in the IDC are verified before makinga comparison with sampling information. Only when the expiration dateshave not been reached, the service provider 1002 accepts samplinginformation from a user and performs a comparison process. In theexample shown in FIG. 81, the template information of the personidentification certificate (IDC) is encrypted using the public key ofthe service provider, and thus the template is extracted from the IDC byperforming decryption using the private key of the service provider andis used for comparison. If the user authentication is successfullypassed, transaction with the user, such as providing of a content, isperformed.

FIG. 82 illustrates a manner of managing the number of times the IDC isallowed to be used and the template expiration date. First, a personidentification certificate authority (IDA) 1001 which issues a personidentification certificate (IDC) determines the rule of setting theexpiration date of the IDC and the expiration date of the template. Auser, who wants issue of a person identification certificate (IDC),provides personal information needed to issue an IDC to the personidentification certificate authority (IDA) 1001. The personidentification certificate authority (IDA) 1001 performs userauthentication and verifies the data. If it is determined that the IDCissue request is valid, the person identification certificate authority(IDA) newly issues a person identification certificate (IDC). When auser wants to specify the expiration date of the template, the usersends his/her personal information to the IDA and furthermore informsthe IDA of the desired date to be set as the expiration date. The IDAsets the expiration date of the template in the IDC in accordance withthe specified date.

When a service provider 1002 has a transaction with an user, the serviceprovider 1002 requests a person identification certificate authority(IDA) 1001 to issues an IDC for use in user authentication. The personidentification certificate authority (IDA) 1001 issues to the serviceprovider 1002 a person identification certificate (IDC) in which thenumber of times the IDC is allowed to be used and the templateexpiration date are set. The issued person identification certificate(IDC) includes a signature written using a private key of the personidentification certificate authority (IDA) 1001.

After verifying the signature using the public key, stored in theservice provider 1002, of the person identification certificateauthority (IDA) 1001, the service provider 1002 stores the IDC in amemory. Furthermore, the count of usage of the IDC, set in the IDC, isstored in a SAM (Secure Application Module) of the service provider1002. On the other hand, when person authentication is performed usingthe stored IDC, the template expiration date stored in the IDC isverified and furthermore the count of usage of the IDC stored in the SAMof the service provider 1002 is verified before making a comparison withsampling information given by an user. Only when the expiration date ofthe template has not been reached and when the count of usage of the IDCis not equal to zero, the comparison is performed. If the expirationdate has been exceeded, or if the count of usage of the IDC is equal tozero, error handing is performed and the comparison with the samplinginformation is not performed. In the case where the comparison with thesampling information was performed, the count of usage of the IDC storedin the SAM is reduced (decremented) by one. In the example shown in FIG.82, in the process of acquiring the person identification certificate(IDC), the user template is encrypted using the public key of theservice provider, and thus the template is extracted from the IDC byperforming decryption using the private key of the service provider andis used for comparison. If the user authentication is successfullypassed, transaction with the user, such as providing of a content, isperformed.

Referring to FIG. 83, the process of controlling the usage of an IDC inaccordance with the “expiration date or number of times the IDC isallowed to be used” and “expiration date of template” of the personidentification certificate (IDC) is described.

If a service provider or a user device starts to user authentication onthe basis of an IDC (S1001), a user inputs or transmits a user ID andsampling data (S1002). The service provider or the user device whichperforms the person authentication retrieves an IDC on the basis of theuser ID and determine whether or not the IDC exists (S1003). If the IDCis not found, the service provider or the user device generates an IDCissue request to a person identification certificate authority (IDA) toacquire the IDC (S1004).

Thereafter, the “template expiration date” information is extracted fromthe person identification certificate (IDC) and verifies the templateexpiration date (S1005). If the expiration date has been reached, theservice provider or the user device requests the person identificationcertificate authority (IDA) to issue an IDC in which a new “templateexpiration date” is set, thereby acquiring the IDC (S1006).

The “IDC expiration date” information is then extracted from the personidentification certificate (IDC) and verifies the IDC expiration date(S1007). If the expiration date has been reached, the service provideror the user device requests the person identification certificateauthority (IDA) to issue an IDC in which a new “IDC expiration date” isset, thereby acquiring the IDC (S1008).

Thereafter, it is determined whether the “number of times the IDC isallowed to be used” is set in the person identification certificate(IDC) (S1009). If it is set, the count of IDC usage stored in the SAM ofthe service provider or the user device is read, and it is determinedwhether the count of IDC usage is equal to zero (S1010). If the count ofIDC usage is equal to zero, the service provider or the user devicerequests the person identification certificate authority (IDA) to issuean IDC in which a new “count of IDC usage” is set, thereby acquiring theIDC (S1011). After acquiring the IDC, the count of IDC usage describedin the newly issues IDC is set in the SAM (S1012).

Thereafter, a template is extracted from the IDC and compared withsampling information given by the user (S1014). After completion of thecomparison, if the number of times the IDC is allowed to be used is setin the IDC (Yes in S1015), the count of IDC usage stored in the DAM isdecremented by one (S1016). If the count of IDC usage becomes equal tozero (Yes in S1017), the IDC is deleted from the SAM (S1018), and theprocess is performed depending upon the comparison result (S1019).

Referring to FIG. 84, there is provided a process which is performed toupdate a person identification certificate (IDC) when a personidentification certificate (IDC) is used if it turns out that the “IDCexpiration date” has been reached.

Herein, it is assumed that a person identification certificate (IDC) ofa user has been created by a person identification certificate authority(IDA) 1001 and has been transmitted, in response to a request from aservice provider 1002, from the person identification certificateauthority (IDA) 1001 to the service provider 1002 and stored in astorage means of the service provider 1002. The “IDC expiration date” isdefined in the person identification certificate (IDC).

When user authentication is performed before starting a transaction withan user, the service provider 1002 reads the IDC and checks the “IDCexpiration date” described in the IDC. If it is detected that the “IDCexpiration date” has been reached, the service provider 1002 requeststhe person identification certificate authority (IDA) 1001 to issue anew IDC. In this case, the service provider 1002 transmits the user IDcorresponding to the IDC to be updated to the person identificationcertificate authority (IDA) 1001. In the data communication, mutualauthentication, addition of a signature, and verification are performed.

In accordance with the user ID, the person identification certificateauthority (IDA) 1001 creates a person identification certificate (IDC)in which a new expiration date is set using the user templateinformation which has already been stored. The created personidentification certificate (IDC) is transmitted to the service provider1002. The service provider stores the updated IDC in the storage meansof the service provider, extracts a template from the updated IDC,decrypts the template, and compares the template with samplinginformation.

In a similar manner to the above-described process of updating the IDCexpiration date, it is possible to update the number of times the IDC isallowed to be used, and it is also possible to update the templateexpiration date set by the person identification certificate authority(IDA) when the expiration data has been reached.

Referring to FIG. 85, there is described a process which is performed toupdate a person identification certificate (IDC) when the checking ofthe expiration date of the person identification certificate (IDC)reveals that the “IDC expiration date” has been reached.

Herein, it is assumed that a person identification certificate (IDC) ofa user has been created by a person identification certificate authority(IDA) 1001 and has been transmitted, in response to a request from aservice provider 1002, from the person identification certificateauthority (IDA) 1001 to the service provider 1002 and stored in astorage means of the service provider 1002. The “IDC expiration date” isdefined in the person identification certificate (IDC).

The service provider 1002 checks, at scheduled intervals, the expirationdate of the person identification certificate (IDC) stored in theservice provider 1002. If it is detected, in the checking at scheduledintervals, that the IDC expiration date has been reached, the serviceprovider 1002 requests the person identification certificate authority(IDA) 1001 to issue a new IDC. In this case, the service provider 1002transmits the user ID corresponding to the IDC to be updated to theperson identification certificate authority (IDA) 1001. In the datacommunication, mutual authentication, addition of a signature, andverification are performed.

In accordance with the user ID, the person identification certificateauthority (IDA) 1001 creates a person identification certificate (IDC)in which a new expiration date is set using the user templateinformation which has already been stored. The created personidentification certificate (IDC) is transmitted to the service provider1002. The service provider stores the updated IDC in the storage meansof the service provider.

In a similar manner to the above-described process of updating the IDCexpiration date, it is possible to update the number of times the IDC isallowed to be used, and it is also possible to update the templateexpiration date set by the person identification certificate authority(IDA) when the expiration data has been reached.

Now, a process of updating template information is described. Updatingof template information may be performed such that the expiration dateof the template information which has already been registered in aperson identification certificate authority (IDA) 1001 is simplyupdated, or such that the template information which has already beenregistered is deleted and then template information is created inaccordance with personal information such as fingerprint informationwhich is newly given by an user. In the case where the existingregistered template information is used and only the expiration date issimply updated, updating may be performed in a similar manner as in theupdating of the IDC expiration date or the number of times the IDC isallowed to be used. In the case where the expiration date of thetemplate information has been set in accordance with the date specifiedby an user, the person identification certificate authority (IDA) 1001may create a person identification certificate (IDC) in which thetemplate expiration date is reset with the approval of the user.

However, in the case where the existing registered template informationis deleted and template information is newly created in accordance withpersonal information such as fingerprint information which is newlygiven by an user, it is required to acquire new person identificationinformation from the user. The processes are described below withreference to FIGS. 86 and 87.

FIG. 86 illustrates a process in which the expiration date of thetemplate information which has already been registered in the personidentification certificate authority (IDA) 1001 is checked by the personidentification certificate authority (IDA) 1001 and updated if theexpiration date has been reached, after informing the user that theexpiration date has been reached.

If the user receives a message indicating that the expiration date ofthe template information has been reached, the user transmits his/herpersonal information such as fingerprint data to the personidentification certificate authority (IDA) 1001. Because this processresults in re-execution of verification of the identification of theuser, it is desirable that the process be performed offline. However,the process may be performed online if it is possible to verify theidentification of the user. In this case, mutual authentication betweenthe user device and the person identification certificate authority(IDA) 1001, addition of a signature to data to be transmitted, andverification are performed.

The person identification certificate authority (IDA) 1001 verifies theidentification of the user and creates a person identificationcertificate (IDC) in which the person identification data is stored astemplate information and a new template expiration date is set. Theexpiration date may be set in accordance with a request from the user.The person identification certificate (IDC) in which the templateexpiration date has been newly set by the person identificationcertificate authority (IDA) 1001 is transmitted to a service provider orthe like in response to a request, for use in person authentication.

FIG. 87 illustrates a process in which template information which hasalready been registered in a person identification certificate authority(IDA) 1001 is updated in response to an updating request from an user.

To make a request for updating template information, a user transmitshis/her personal information such as fingerprint data to the personidentification certificate authority (IDA) 1001. Because this processresults in re-execution of verification of the identification of theuser, it is desirable that the process be performed offline. However,the process may be performed online if it is possible to verify theidentification of the user. In this case, mutual authentication betweenthe user device and the person identification certificate authority(IDA) 1001, addition of a signature to data to be transmitted, andverification are performed.

The person identification certificate authority (IDA) 1001 verifies theidentification of the user and creates a person identificationcertificate (IDC) in which the person identification data is stored astemplate information and a new template expiration date is set. Theexpiration date may be set in accordance with a request from the user.Furthermore, as required, for example, in response to a request from anuser, the person identification certificate authority (IDA) 1001 mayrevoke a person identification certificate (IDC) which has already beenissued and whose expiration date has not been reached yet. Morespecifically, revocation of an IDC is performed by issuing an IDCrevocation list to a service provider or a user device to which the IDChas been issued. In the IDC revocation list, identification data ofrevoked IDCs is described. The service provider or the user device,which has received the IDC revocation list, checks whether the IDCrevocation list includes an IDC identifier of an IDC which is going tobe used in user authentication. If the IDC is included in the IDCrevocation list, the IDC is not used. If necessary, the service provideror the user device requests the person identification certificateauthority (IDA) to update the IDC and executes user authentication usingthe updated IDC.

As described above, when a person authentication execution entityexecutes person authentication on the basis of a person identificationcertificate in which a template serving as person identification data isstored, the person authentication execution entity verifies the validityof the person identification certificate on the basis of the certificateexpiration date, the number of times the certificate is allowed to beused, or the template expiration date. Only when it is determined thatthe person identification certificate is valid, person authentication isperformed by comparing the template stored in the person identificationcertificate with sampling information input by an user. This makes itpossible for a person identification certificate authority to manage thevalidity of person identification certificates. The personidentification certificate authority may update a person identificationcertificate or a template in response to a request from anauthentication execution entity or a person certified by the personidentification certificate. Thus, it becomes possible to update a personidentification certificate or a template at an arbitrary desired time.Furthermore, setting the expiration date makes it possible to examineusers at scheduled intervals and to easily check the validity of personscertified by person identification certificates (IDCs).

The present invention has been described in detail above with referenceto particular embodiments. It will be apparent to those skilled in theart that various modifications and substitution to those embodiments maybe made in the embodiment chosen for illustration without departing fromthe spirit and scope of the invention. That is, the embodiments havebeen described above by way of example and not limitation. The scope ofthe invention is to be determined solely by the appended claims.

1. A person authentication system for executing person authenticationthrough comparing a template serving as user identification data whichhas already been acquired with sampling information input by a user,said person authentication system comprising: a person identificationauthority for creating a person identification certificate storing thetemplate; an entity which executes person authentication for comparingthe template with the sampling information input by a user as personauthentication on the basis of the person identification certificate;and an entity which requests person authentication for requesting tosaid entity which executes person authentication for personauthentication, wherein said entity which requests person authenticationis a user device, and said entity which executes person authenticationis a service provider for providing service to said user device, andsaid service provider verifies a signature of said person identificationauthority written in the person identification certificate provided bysaid user device and transmits the result of verification to said userdevice, and said user device decrypts, by using a private key of saiduser device, a key for encrypting and decrypting the template, the keythat has been encrypted by using a public key of said user device andstored in the person identification certificate and provides thedecrypted key to said service provider, with the sampling informationinput by a user, on condition that the signature is verified to havenever been tampered with, whereby said service provider that is saidentity which executes person authentication decrypts, by using the keyfor encrypting and decrypting the template, the template in the personidentification certificate received from said user device, therebyperforming person authentication.
 2. A person authentication method forexecuting person authentication through comparing a template serving asuser identification data which has already been acquired with samplinginformation input by a user, said person authentication methodcomprising the steps of: creating a person identification certificatestoring the template by said person identification authority: readingout a request for person authentication from said entity which executesperson authentication; and comparing the template with the samplinginformation input by a user as person authentication on the basis of theperson identification certificate in said entity which executes personauthenticatio; wherein said entity which requests person authenticationis a user device, and said entity which executes person authenticationis a service provider for providing service to said user device, andsaid service provider verifies a signature of said person identificationauthority written in the person identification certificate provided bysaid user device and transmits the result of verification to said userdevice, and said user device decrypts, by using a private key of saiduser device, a key for encrypting and decrypting the template, the keythat has been encrypted by using a public key of said user device andstored in the person identification certificate, and provides thedecrypted key with the sampling information input by a user to saidservice provider, on condition that the signature is verified to havenever been tampered with, whereby said service provider that is saidentity which executes person authentication decrypts, by using the keyfor encrypting and decrypting the template, the template in the personidentification certificate received from said user device, therebyperforming person authentication.